We provide security updates for the following versions of waitup:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take security seriously. If you discover a security vulnerability in waitup, please report it responsibly.
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report them privately by:
- Email: Send details to kalyuzhni.sergei@gmail.com
- Subject: Include "SECURITY" in the subject line
- Details: Provide as much information as possible
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if you have one)
- Your contact information for follow-up
- 24 hours: Acknowledgment of your report
- 72 hours: Initial assessment and triage
- 7 days: Detailed response with timeline for fix
- 30 days: Security patch release (if applicable)
- We will coordinate disclosure timing with you
- We prefer responsible disclosure after a fix is available
- We will acknowledge your contribution (unless you prefer anonymity)
- We may offer a bug bounty for significant vulnerabilities
waitup makes network connections to test connectivity. Consider these security aspects:
- Uses system DNS resolver
- Subject to DNS spoofing attacks
- Consider using specific DNS servers in secure environments
- Creates outbound TCP connections
- Does not transmit sensitive data
- Uses standard socket connections
- Makes HTTP requests to specified endpoints
- Follows redirects (security consideration)
- Does not validate TLS certificates by default
- Consider network policies in production
waitup validates:
- Host/port formats
- URL formats
- Time duration formats
- Command line arguments
When using the -- command feature:
- Executes arbitrary commands after successful connections
- Commands run with the same privileges as waitup
- Consider principle of least privilege
- Validate command arguments in scripts
waitup reads environment variables:
WAITUP_TIMEOUTWAITUP_INTERVAL
These are not security-sensitive but could affect behavior.
- Least Privilege: Run with minimal required permissions
- Network Policies: Use firewall rules to restrict connections
- Input Validation: Validate hostnames and URLs in scripts
- Logging: Monitor connection attempts in security-sensitive environments
- Timeouts: Use reasonable timeouts to prevent resource exhaustion
When using in containers:
# Run as non-root user
USER 1000:1000
# Minimal image
FROM scratch
COPY waitup /usr/local/bin/
ENTRYPOINT ["/usr/local/bin/waitup"]In Kubernetes environments:
# Security context
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL- Risk: DNS responses could be spoofed
- Mitigation: Use trusted DNS servers, validate endpoints
- Risk: Malicious commands in
-- commandsyntax - Mitigation: Validate input, use absolute paths
- Risk: Long timeouts could consume resources
- Mitigation: Set reasonable timeout limits
- Risk: Could be used for network reconnaissance
- Mitigation: Monitor usage, apply network policies
- Security updates will be released as patch versions
- Critical vulnerabilities will be announced in release notes
- Subscribe to GitHub releases for notifications
If you have questions about security but not a vulnerability to report, please:
- Open a GitHub issue with the
securitylabel - Email kalyuzhni.sergei@gmail.com with "SECURITY QUESTION" in subject
Thank you for helping keep waitup secure!