We release patches for security vulnerabilities for the following versions:

We take security seriously. If you discover a security vulnerability, please report it responsibly.

Email: [email protected]

Please include:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Suggested fix (if available)

Response Time:

• Initial response: Within 48 hours
• Status update: Within 7 days
• Fix timeline: Depends on severity (critical issues within 14 days)

1. Acknowledgment: We'll confirm receipt of your report within 48 hours
2. Assessment: We'll assess the severity and impact of the vulnerability
3. Fix Development: We'll develop and test a fix
4. Disclosure: We'll coordinate disclosure timing with you
5. Credit: We'll credit you in the security advisory (if desired)

• Private disclosure first: Please give us time to fix the issue before public disclosure
• Coordinated disclosure: We'll work with you on disclosure timing
• Public advisory: We'll publish a security advisory after the fix is released

This project implements multiple security measures:

• Zero External Dependencies: No third-party packages = no supply chain risk
• Static Binary: No runtime dependencies, no shared library attacks
• Reproducible Builds: Deterministic builds with -trimpath and locked Go version
• SBOM Generation: Software Bill of Materials available via make sbom

• Input Validation: All git commit hashes validated with regex ^[a-f0-9]{7,40}$
• Command Injection Prevention: No user input passed directly to shell commands
• Static Analysis: gosec SAST scanning enabled in .golangci.yml
• Vulnerability Scanning: Regular govulncheck scans for known CVEs

• Pure Static Binary: CGO_ENABLED=0 creates pure Go binary with no C dependencies or shared libraries
• Symbol Stripping: -s flag removes symbol table
• Debug Info Removal: -w flag strips DWARF debug information
• Reproducible Builds: -trimpath and -buildvcs=false ensure deterministic compilation

• Dry-run Default: Must explicitly use -f flag to modify files
• Automatic Backups: Creates .bak files before applying changes
• Git Tracked: Base password file should be in private git repository
• Plaintext Warning: Users warned about unencrypted CSV format
• Seccomp Filtering: Optional syscall blacklist blocks networking and dangerous operations (see SECCOMP.md)

For defense-in-depth, this project provides an optional Seccomp-BPF profile that restricts which system calls the binary can make.

• Networking: All socket operations (socket, connect, bind, listen, etc.)
• Process manipulation: ptrace, process_vm_readv, process_vm_writev
• Kernel operations: Module loading, kernel execution, reboot
• Exploitation primitives: bpf, userfaultfd, perf_event_open

This profile uses a blacklist approach (default allow, block dangerous ones):

• More robust than whitelisting
• Compatible with different Go runtime versions
• Doesn't break when Go adds new syscalls
• Recommended by security experts for userspace tools

# Using Firejail
firejail --seccomp.drop=@network,@module,@raw-io fpm passwords.csv export.csv

# What happens if exploited:
# - Attacker tries socket() → EPERM (Operation not permitted)
# - Attacker tries ptrace() → EPERM
# - Normal file operations → Work fine

See SECCOMP.md for complete documentation.

Run security scans locally:

# All security scans
make security

# Individual scans
make vulncheck  # Go vulnerability scanning
make trivy      # Trivy vulnerability and misconfiguration scanning
make semgrep    # Semgrep SAST scanning
make lint       # Includes gosec static analysis

Firefox's CSV export format stores passwords in plaintext. This is a design limitation of Firefox's export feature, not this tool.

Mitigations:

• Keep CSV files in encrypted storage
• Use appropriate file permissions (0600)
• Store in private git repository with limited access
• Delete export files after merging

This tool executes the external git command. While all inputs are validated, users should:

• Only use this tool in trusted git repositories
• Verify git executable is legitimate (which git)
• Keep git binary up to date

Interactive mode reads from stdin. Users should:

• Use in trusted terminal environments
• Be aware of terminal history/logging
• Consider using -q flag in scripts

• CI Pipeline: GitLab CI runs security scans on every commit
• gosec: Static analysis for common security issues
• govulncheck: Checks against Go vulnerability database
• Trivy: Scans for vulnerabilities and misconfigurations

Security researchers are welcome to audit this codebase. It's deliberately small (~2000 LOC) for auditability.

Testing Areas:

• Input validation (git commit hashes, file paths)
• Command injection vectors
• File handling (backup creation, CSV parsing)
• Git operations (log, show, diff)

We'll list security researchers who responsibly disclose vulnerabilities here.

No vulnerabilities reported yet.

See THREAT_MODEL.md for detailed threat analysis and mitigation strategies.

Security updates will be:

• Released as patch versions (x.y.Z)
• Tagged with security label in release notes
• Announced in GitLab/GitHub releases
• Documented in CHANGELOG

• OWASP Secure Coding Practices
• CWE-78: OS Command Injection
• SLSA Framework
• Go Security Best Practices
• Seccomp BPF Documentation

For non-security issues, please use:

• GitLab Issues: https://gitlab.com/jhinrichsen/firefox-password-merger/-/issues
• GitHub Issues: https://github.com/jhinrichsen/firefox-password-merger/issues

For security issues, email: [email protected]