Skip to content

Security: netarchivesuite/heritrix3

Security

SECURITY.md

Security Policy

The elephant in the room

Heritrix's user interface and configuration format allow authenticated users to run arbitrary code, edit local files and so forth. Therefore all Heritrix operators must necessarily considered fully trusted and the UI carefully protected as per the security considerations section of the operating manual. While it would certainly be more secure to have some level of script sandboxing or alternative user access levels it would likely require substantial work to implement. So while we'd be interested in efforts to contribute such improvements these risks are well known and won't be considered new vulnerabilities.

Supported Versions

We don't currently backport fixes to older versions of Heritrix.

Reporting a Vulnerability

If you consider the vulnerability low risk, please open a github issue for it.

If you are concerned there's a high risk a Heritrix vulnerability will be actively exploited if disclosed and feel it is important to give prior notice in private to the maintainers and major users you may contact the following teams who should be able coordinate a response with many other organisations that use Heritrix via the IIPC:

Vulnerabilities in services on archive.org or Archive-It should be reported to the Internet Archive.

Bug Bounty

The Heritrix project is not currently part of a bug bounty program.

There aren’t any published security advisories