Please do not open a public GitHub issue for security vulnerabilities.
If you discover a security issue in Tessera, please report it responsibly:
- Email: [email protected]
- Include a description of the vulnerability, steps to reproduce, and potential impact
- We will acknowledge receipt within 48 hours
- We will provide a timeline for a fix within 5 business days
| Version | Supported |
|---|---|
| main (dev) | ✅ |
The following are in scope:
- Authentication bypass (admin API key, HMAC vote signing)
- Authorization flaws (read/write separation)
- IP binding bypass (
bind_ipenforcement) - Injection attacks (API endpoints, config parsing)
- Information disclosure (voter PSKs, API tokens, admin keys)
- Container escape or privilege escalation
- CSP bypass or XSS
The following are out of scope:
- Denial of service against the voter quorum (requires network access to all voters)
- Issues in Technitium DNS Server itself (report upstream)
- Social engineering
- Issues requiring physical access to the host
We follow coordinated disclosure. We ask that you:
- Give us reasonable time to fix the issue before public disclosure
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
- Do not access or modify other users' data
We will credit reporters in the release notes (unless you prefer anonymity).