Skip to content

Security

BenJule edited this page May 31, 2026 · 2 revisions

Security

Supported Versions

Version Supported
Latest release ✅ Active support
Previous release ⚠️ Critical fixes only
Older releases ❌ Not supported
Nightly builds ❌ Not supported (pre-release)

Reporting a Vulnerability

Caution

Do not report security vulnerabilities through public GitHub issues. Public disclosure before a fix is available puts all users at risk.

Use GitHub's private vulnerability reporting: Report a vulnerability →

What to include

  • Type of vulnerability (buffer overflow, RCE, path traversal, XSS in the UI, etc.)
  • File paths and line numbers of affected source code
  • Steps to reproduce — be as specific as possible
  • Proof-of-concept or exploit code (if available)
  • Impact assessment — who is affected, under what conditions
  • Suggested fix (optional but appreciated)

Response timeline

Step Target
Initial acknowledgement Within 7 days
Triage and severity assessment Within 14 days
Fix development and testing Depends on severity
Coordinated disclosure After fix is released

Scope

In scope

  • The BambuStudio slicer application (this repository)
  • The CI/CD pipeline (.github/workflows/)
  • The APT repository infrastructure (apt.s3-dev.ovh)
  • The build scripts (BuildLinux.sh, scripts/)

Out of scope

  • Bambu Lab cloud infrastructure — report to Bambu Lab
  • Printer firmware — report to Bambu Lab
  • Third-party dependencies — report to the respective upstream project
  • Flathub — report to the Flathub maintainers

Security Controls

This repository implements multiple layers of security hardening.

Code Scanning

Tool Scope Schedule
CodeQL (C++, JS) All source code Every PR + weekly
Dependency Review New dependencies in PRs Every PR (required check)
Dependabot GitHub Actions + npm Weekly, Monday
OpenSSF Scorecard Repository security posture Weekly + push

Supply Chain Security

All GitHub Actions workflow steps use pinned SHA references (not floating tags):

# ✅ Correct — pinned to exact commit
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6

# ❌ Wrong — floating tag can be moved
uses: actions/checkout@v4

Harden Runner (step-security/harden-runner) is applied to every job with egress-policy: audit. This logs all outbound network connections made during CI jobs.

Branch Protection (master)

Control Status
Required status checks (CI + security review) ✅ Enforced
Required conversation resolution ✅ Enforced
Signed commits (GPG) ✅ Required
Force push ❌ Blocked
Branch deletion ❌ Blocked
Enforce admins ✅ Yes — applies to everyone

Access Control

  • The repository follows least-privilege: all workflows use permissions: read-all by default and request only the specific write permissions they need
  • Deploy secrets (AUR SSH key, Homebrew token, S3 credentials) are stored as repository secrets and are not accessible to fork PRs

OpenSSF Scorecard

OpenSSF Scorecard

The Scorecard is run weekly and on every push to master. View the full report →


Dependency Policy

  • GitHub Actions — updated weekly by Dependabot, merged manually
  • npm — updated weekly by Dependabot (UI components only)
  • C++ deps — vendored in deps/ with pinned versions in deps/CMakeLists.txt; updated manually when upstream releases security fixes
  • System packages — inherited from the build container images; base images are pinned to digest SHAs in CI (e.g. debian:trixie@sha256:...)

Responsible Disclosure

We follow a coordinated disclosure policy:

  1. Reporter submits via private advisory
  2. Maintainer confirms and assesses severity
  3. Fix is developed in a private fork or draft advisory
  4. Fix is released
  5. Advisory is published (CVE assigned if applicable)
  6. Reporter credited in the release notes (unless they prefer to remain anonymous)

Clone this wiki locally