forked from bambulab/BambuStudio
-
Notifications
You must be signed in to change notification settings - Fork 0
Security
BenJule edited this page May 31, 2026
·
2 revisions
| Version | Supported |
|---|---|
| Latest release | ✅ Active support |
| Previous release | |
| Older releases | ❌ Not supported |
| Nightly builds | ❌ Not supported (pre-release) |
Caution
Do not report security vulnerabilities through public GitHub issues. Public disclosure before a fix is available puts all users at risk.
Use GitHub's private vulnerability reporting: Report a vulnerability →
- Type of vulnerability (buffer overflow, RCE, path traversal, XSS in the UI, etc.)
- File paths and line numbers of affected source code
- Steps to reproduce — be as specific as possible
- Proof-of-concept or exploit code (if available)
- Impact assessment — who is affected, under what conditions
- Suggested fix (optional but appreciated)
| Step | Target |
|---|---|
| Initial acknowledgement | Within 7 days |
| Triage and severity assessment | Within 14 days |
| Fix development and testing | Depends on severity |
| Coordinated disclosure | After fix is released |
- The BambuStudio slicer application (this repository)
- The CI/CD pipeline (
.github/workflows/) - The APT repository infrastructure (
apt.s3-dev.ovh) - The build scripts (
BuildLinux.sh,scripts/)
- Bambu Lab cloud infrastructure — report to Bambu Lab
- Printer firmware — report to Bambu Lab
- Third-party dependencies — report to the respective upstream project
- Flathub — report to the Flathub maintainers
This repository implements multiple layers of security hardening.
| Tool | Scope | Schedule |
|---|---|---|
| CodeQL (C++, JS) | All source code | Every PR + weekly |
| Dependency Review | New dependencies in PRs | Every PR (required check) |
| Dependabot | GitHub Actions + npm | Weekly, Monday |
| OpenSSF Scorecard | Repository security posture | Weekly + push |
All GitHub Actions workflow steps use pinned SHA references (not floating tags):
# ✅ Correct — pinned to exact commit
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
# ❌ Wrong — floating tag can be moved
uses: actions/checkout@v4Harden Runner (step-security/harden-runner) is applied to every job with egress-policy: audit. This logs all outbound network connections made during CI jobs.
| Control | Status |
|---|---|
| Required status checks (CI + security review) | ✅ Enforced |
| Required conversation resolution | ✅ Enforced |
| Signed commits (GPG) | ✅ Required |
| Force push | ❌ Blocked |
| Branch deletion | ❌ Blocked |
| Enforce admins | ✅ Yes — applies to everyone |
- The repository follows least-privilege: all workflows use
permissions: read-allby default and request only the specific write permissions they need - Deploy secrets (AUR SSH key, Homebrew token, S3 credentials) are stored as repository secrets and are not accessible to fork PRs
The Scorecard is run weekly and on every push to master. View the full report →
- GitHub Actions — updated weekly by Dependabot, merged manually
- npm — updated weekly by Dependabot (UI components only)
-
C++ deps — vendored in
deps/with pinned versions indeps/CMakeLists.txt; updated manually when upstream releases security fixes -
System packages — inherited from the build container images; base images are pinned to digest SHAs in CI (e.g.
debian:trixie@sha256:...)
We follow a coordinated disclosure policy:
- Reporter submits via private advisory
- Maintainer confirms and assesses severity
- Fix is developed in a private fork or draft advisory
- Fix is released
- Advisory is published (CVE assigned if applicable)
- Reporter credited in the release notes (unless they prefer to remain anonymous)