We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 1.3.x | ✅ |
| < 1.3 | ❌ |
We take the security of MrRSS seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- Open a public GitHub issue
- Disclose the vulnerability publicly before it has been addressed
- Email us directly at [INSERT SECURITY EMAIL HERE]
- Include the following information:
- Type of vulnerability
- Full description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if any)
- Your name/handle (for acknowledgment)
- Initial Response: Within 48 hours
- Status Updates: Regular updates on progress
- Fix Timeline: We aim to address critical vulnerabilities within 7 days
- Credit: We will acknowledge your contribution (unless you prefer to remain anonymous)
When using MrRSS:
- Download from Official Sources: Only download releases from GitHub
- Verify Signatures: Check release signatures when available
- Keep Updated: Use the latest version
- API Keys: Store API keys securely (e.g., DeepL API key)
- OPML Files: Be cautious when importing OPML from untrusted sources
- Dependencies: Regularly update dependencies
- Code Review: All code changes should be reviewed
- Input Validation: Validate all user inputs
- Secrets: Never commit secrets or API keys
- Testing: Include security tests in the test suite
MrRSS implements the following security features:
- Local-Only: All data is stored locally in SQLite
- No Cloud Sync: No data is sent to external servers (except feed fetching and translation)
- No Analytics: No tracking or analytics
- HTTPS: Feed fetching uses HTTPS when available
- API Security: Translation API keys are stored locally
- No Telemetry: No usage data is collected
- Input Sanitization: All user inputs are sanitized
- SQL Injection Protection: Parameterized queries prevent SQL injection
- XSS Prevention: Vue.js escapes content by default
- Dependency Scanning: Automated dependency vulnerability scanning
- Feed Content: Content from RSS feeds is displayed as-is
- External Links: Clicking article links opens external content
- Translation Services: Translation features rely on third-party services
Security updates are released as soon as possible after a vulnerability is confirmed:
- Critical: Immediate patch release
- High: Within 7 days
- Medium: Within 30 days
- Low: Next regular release
- Coordinated Disclosure: We follow a coordinated disclosure policy
- Public Disclosure: Vulnerabilities are disclosed after a patch is available
- Credit: Security researchers are credited in release notes
For security-related questions that are not vulnerabilities:
- Contact us at mail@ch3nyang.top
Thank you for helping keep MrRSS and its users safe!