rick/LEDMatrix
1
0
Fork 0
mirror of https://github.com/ChuckBuilds/LEDMatrix.git synced 2026-04-10 21:03:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
33d023bbd5f2a0f523b79128c882758791fd4ec2
LEDMatrix/SECURITY.md
Chuck 38773044e9 Add CODE_OF_CONDUCT, SECURITY, PR template; link them from README 
Tier 1 organizational files that any open-source project at
LEDMatrix's maturity is expected to have. None of these existed
before. They're additive — no existing content was rewritten.

CODE_OF_CONDUCT.md
- Contributor Covenant 2.1 (the de facto standard for open-source
  projects). Mentions both the Discord and the GitHub Security
  Advisories channel for reporting violations.

SECURITY.md
- Private vulnerability disclosure flow with two channels: GitHub
  Security Advisories (preferred) and Discord DM.
- Documents the project's known security model as intentional
  rather than vulnerabilities: no web UI auth, plugins run
  unsandboxed, display service runs as root for GPIO access,
  config_secrets.json is plaintext. These match the limitations
  already called out in PLUGIN_QUICK_REFERENCE.md and the audit
  flagging from earlier in this PR.
- Out-of-scope section points users at upstream
  (rpi-rgb-led-matrix, third-party plugins) so reports land in the
  right place.

.github/PULL_REQUEST_TEMPLATE.md
- 10-line checklist that prompts for the things that would have
  caught the bugs in this very PR: did you load the changed plugin
  once, did you update docs alongside code, are there any plugin
  compatibility implications.
- Linked from CONTRIBUTING.md for the full flow.

README.md
- Added a License section near the bottom (the README previously
  said nothing about the license despite the project being GPL-3.0).
- Added a Contributing section pointing at CONTRIBUTING.md and
  SECURITY.md.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 12:52:48 -04:00

3.2 KiB
Raw Blame History

Security Policy

Reporting a vulnerability

If you've found a security issue in LEDMatrix, please don't open a public GitHub issue. Disclose it privately so we can fix it before it's exploited.

How to report

Use one of these channels, in order of preference:

  1. GitHub Security Advisories (preferred). On the LEDMatrix repo, go to Security → Advisories → Report a vulnerability. This creates a private discussion thread visible only to you and the maintainer.
  2. Discord DM. Send a direct message to a moderator on the LEDMatrix Discord. Don't post in public channels.

Please include:

  • A description of the issue
  • The version / commit hash you're testing against
  • Steps to reproduce, ideally a minimal proof of concept
  • The impact you can demonstrate
  • Any suggested mitigation

What to expect

  • An acknowledgement within a few days (this is a hobby project, not a 24/7 ops team).
  • A discussion of the issue's severity and a plan for the fix.
  • Credit in the release notes when the fix ships, unless you'd prefer to remain anonymous.
  • For high-severity issues affecting active deployments, we'll coordinate disclosure timing with you.

Scope

In scope for this policy:

  • The LEDMatrix display controller, web interface, and plugin loader in this repository
  • The official plugins in ledmatrix-plugins
  • Installation scripts and systemd unit files

Out of scope (please report upstream):

  • Vulnerabilities in rpi-rgb-led-matrix itself — report to https://github.com/hzeller/rpi-rgb-led-matrix
  • Vulnerabilities in Python packages we depend on — report to the upstream package maintainer
  • Issues in third-party plugins not in ledmatrix-plugins — report to that plugin's repository

Known security model

LEDMatrix is designed for trusted local networks. Several limitations are intentional rather than vulnerabilities:

  • No web UI authentication. The web interface assumes the network it's running on is trusted. Don't expose port 5000 to the internet.
  • Plugins run unsandboxed. Installed plugins execute in the same Python process as the display loop with full file-system and network access. Review plugin code (especially third-party plugins from arbitrary GitHub URLs) before installing. The Plugin Store marks community plugins as Custom to highlight this.
  • The display service runs as root for hardware GPIO access. This is required by rpi-rgb-led-matrix.
  • config_secrets.json is plaintext. API keys and tokens are stored unencrypted on the Pi. Lock down filesystem permissions on the config directory if this matters for your deployment.

These are documented as known limitations rather than bugs. If you have ideas for improving them while keeping the project usable on a Pi, open a discussion — we're interested.

Supported versions

LEDMatrix is rolling-release on main. Security fixes land on main and become available the next time users run Update Code from the web UI's Overview tab (which does a git pull). There are no LTS branches.

Reference in New Issue View Git Blame Copy Permalink