ccboard is currently in active development. Security updates are provided for the latest release only.
| Version | Supported |
|---|---|
| 0.4.x+ | ✅ |
| < 0.4 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in ccboard, please report it responsibly:
- Email: florian.bruniaux@gmail.com
- Subject:
[SECURITY] ccboard - Brief Description
- Acknowledgment: Within 48 hours of receiving your report
- Initial Assessment: Within 7 days
- Fix & Disclosure: Coordinated timeline based on severity
To help us triage and fix the issue quickly, please include:
- Description: Clear explanation of the vulnerability
- Impact: Potential security impact and affected versions
- Steps to Reproduce: Detailed steps or proof-of-concept
- Environment: OS, Rust version, ccboard version
- Suggested Fix: Optional, but appreciated
We follow responsible disclosure principles:
- We will acknowledge receipt of your report within 48 hours
- We will provide regular updates on our progress
- We will credit you in the security advisory (unless you prefer to remain anonymous)
- We will coordinate the public disclosure timeline with you
- Fix Development: We develop and test the fix
- Advisory Draft: We prepare a security advisory
- Coordinated Release: We release the fix and publish the advisory
- Public Disclosure: We announce the vulnerability and fix
When using ccboard:
- Keep Updated: Always use the latest release for security fixes
- File Permissions: Ensure
~/.claudehas appropriate permissions (readable only by you) - Sensitive Data: ccboard reads local files but never transmits data externally
- Code Review: ccboard is open-source - audit the code if handling sensitive projects
- Security vulnerabilities in ccboard code
- Data leakage through file system operations
- Unsafe code that could lead to memory issues
- Dependencies with known vulnerabilities
- Issues with Claude Code itself (report to Anthropic)
- User misconfiguration
- Social engineering attacks
- Physical access vulnerabilities
ccboard is designed with security in mind:
- Read-Only Operations: ccboard only reads from
~/.claude, never writes (MVP) - Local Processing: All data processing is local, no external connections
- Minimal Dependencies: Small dependency footprint to reduce attack surface
- Memory Safety: Rust's memory safety guarantees prevent common vulnerabilities
ccboard includes security-focused tooling in its development workflow:
cargo audit: Dependency vulnerability scanning (run periodically)cargo clippy: Static analysis for unsafe patterns (enforced pre-commit)- Path traversal tests:
sanitize_project_path()strips..components - Symlink rejection: Prevents directory traversal via symlinks
- OOM protection: 10MB line size limit for JSONL parsing
- Credential masking: API keys displayed as
sk-ant-••••cdef
| Surface | Risk | Mitigation |
|---|---|---|
| File system | Path traversal, symlink attacks | sanitize_project_path(), symlink rejection |
| SQLite cache | SQL injection via file paths | Parameterized queries only |
| JSONL parsing | OOM via large lines | 10MB line size limit |
| Dependencies | Supply chain vulnerabilities | Minimal deps, periodic cargo audit |
| Web API | Unauthorized access | Local-only binding (127.0.0.1), CORS restricted |
Last Updated: 2026-02-10 Contact: florian.bruniaux@gmail.com