# π Security Policy
## Supported Versions
We take security seriously. Security updates and vulnerability patches are provided for the following versions:
| Version | Supported |
| ------- | ------------------ |
| 1.0.x | :white_check_mark: |
| < 1.0 | :x: |
---
## Reporting a Vulnerability
**Please do NOT report security vulnerabilities through public GitHub issues.**
### Private Reporting Process
Instead, please report them via email to:
π§ **security@termux-vault.dev**
Include the following in your report:
1. **Description of the vulnerability**
- Type of issue (e.g., buffer overflow, privilege escalation, data exposure)
- Impact and potential exploit scenarios
2. **Steps to reproduce**
- Minimal code or commands to trigger the vulnerability
- Environment details (Termux version, Android version, device)
3. **Proof of concept**
- Screenshots, logs, or code snippets
- Any relevant error messages
4. **Suggested fix** (optional)
- Proposed patch or mitigation strategy
### Response Timeline
| Phase | Timeframe |
|-------|-----------|
| Initial acknowledgment | Within 24 hours |
| Confirmation of vulnerability | Within 72 hours |
| Security patch release | Within 7 days (critical), 14 days (high), 30 days (medium) |
| Public disclosure | After patch is released and users have had time to update |
---
## Security Best Practices for Users
### π File Permissions
The system automatically manages permissions, but verify:
```bash
# Check that sensitive files are not world-readable
ls -la ~/termux-backup/vault/backups/
ls -la ~/termux-backup/config/backup.conf
# Recommended permissions
chmod 700 ~/termux-backup/vault/backups
chmod 600 ~/termux-backup/config/backup.conf
chmod 600 ~/termux-backup/vault/backup.logπ SSH Key Protection
Backups include SSH keys. After restore, immediately verify:
# Ensure proper SSH permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 600 ~/.ssh/authorized_keysπ¦ Checksum Verification
Always verify backup integrity before restore:
# Verify backup integrity
./termux-backup verify <backup-name>
# Manual checksum verification
sha256sum -c vault/meta/<backup-name>/checksum.sha256π Regular Updates
Keep the system updated:
# Update Termux Vault
git pull origin main
bash install.sh
# Verify installation
./termux-backup --helpSecurity Features
β Cryptographic Integrity
Β· SHA256 checksums generated for every backup Β· Pre-restore verification prevents corrupted data restoration Β· Manifest validation ensures metadata integrity
β Atomic Operations
Β· No partial backups - Operations complete fully or not at all Β· Safety snapshots created before any destructive operation Β· Transaction-like behavior prevents system inconsistency
β Data Protection
Β· Self-contained storage - No data leaves the device Β· No external dependencies - Reduced attack surface Β· No network access required - Air-gapped operation possible Β· Compression with verification - zstd with integrity checks
β Access Control
Β· No root required - Runs with standard user permissions Β· File permission preservation - Maintains original security context Β· Exclusion patterns - Configurable sensitive data filtering
Vulnerability Disclosure Policy
Our Commitment
- Prompt Response: We will acknowledge receipt of your report within 24 hours
- Transparency: We will keep you informed of our progress
- Credit: We will publicly acknowledge your contribution (unless you prefer anonymity)
- Safe Harbor: We will not pursue legal action against security researchers who act in good faith
Disclosure Timeline
Day 0: Vulnerability reported
Day 1: Initial acknowledgment
Day 3: Confirmation and severity assessment
Day 7: Critical patch development begins
Day 14: Patch released for critical vulnerabilities
Day 30: Public disclosure (CVE requested if applicable)
Severity Classification
Severity Examples Response Time Critical Data loss, privilege escalation, remote code execution 7 days High Information disclosure, integrity violation 14 days Medium Denial of service, configuration weakness 30 days Low Cosmetic issues, documentation errors Next release
Secure Development Practices
Code Standards
Β· Strict error handling: set -Eeuo pipefail in all scripts Β· Input validation: All user inputs are sanitized Β· Path traversal prevention: No dynamic path construction from user input Β· Shell injection prevention: Parameterized commands, no eval
Testing Requirements
# Run security tests before deployment
cd ~/termux-backup
# 1. Check for hardcoded paths
grep -r "/data/data/com.termux" --include="*.sh" | grep -v "^#"
# 2. Check for world-writable files
find . -type f -perm -o+w
# 3. Check for SUID/SGID files
find . -type f -perm /6000
# 4. Verify checksums of all scripts
sha256sum termux-backup termux-restore lib/*.sh config/*.confThird-Party Dependencies
Termux Vault has zero external dependencies by design:
Component Built-in Notes bash β Termux default shell tar β Pre-installed in Termux zstd β Required: pkg install zstd sha256sum β Part of coreutils dpkg β Termux package manager apt β Termux package manager
Install missing dependency:
pkg install zstdSecure Configuration Template
config/backup.conf - Security Hardened
# ============================================================
# SECURITY SETTINGS
# ============================================================
# Always verify integrity (DO NOT DISABLE)
SHA256_VALIDATE=true
# Create safety snapshot before restore (DO NOT DISABLE)
PRE_RESTORE_SNAPSHOT=true
# Minimum free space (prevents system crash)
MIN_FREE_SPACE_MB=512
# ============================================================
# SENSITIVE DATA PROTECTION
# ============================================================
# Exclude sensitive files from backup
EXCLUDE_PATTERNS=(
".cache"
"tmp"
".bash_history" # Command history
".python_history" # Python history
".node_repl_history" # Node.js history
".lesshst" # Less history
)
# ============================================================
# RETENTION (limits exposure window)
# ============================================================
MAX_BACKUPS=7 # Keep only recent backups
MAX_SNAPSHOT_AGE_DAYS=14 # Remove old snapshots fasterIncident Response
If You Suspect a Breach
- Isolate the system
# Disable network (if applicable) termux-wifi-enable false
- Create forensic backup
# Backup current state for analysis tar -czf forensic-$(date +%Y%m%d-%H%M%S).tar.gz ~/termux-backup/vault/
- Verify last known good backup
# Check which backups pass integrity verification ./termux-backup list ./termux-backup verify <latest-backup>
- Restore from clean backup
# Restore from verified backup ./termux-restore restore <last-known-good-backup>
- Contact us
# Send forensic data (encrypted) gpg --encrypt --recipient security@termux-vault.dev forensic-*.tar.gz
Security Audits
Self-Audit Checklist
Run these checks monthly:
#!/bin/bash
# security-audit.sh - Monthly security audit
echo "=== Termux Vault Security Audit ==="
echo "Date: $(date)"
echo ""
# 1. Check file permissions
echo "[1/6] Checking file permissions..."
find ~/termux-backup -type f -name "*.sh" -exec ls -la {} \;
# 2. Verify no world-readable sensitive files
echo "[2/6] Checking for world-readable sensitive files..."
find ~/termux-backup/vault -type f -perm -004
# 3. Check for modified scripts
echo "[3/6] Verifying script integrity..."
md5sum ~/termux-backup/termux-backup ~/termux-backup/termux-restore
# 4. Check backup integrity
echo "[4/6] Verifying backup integrity..."
for backup in ~/termux-backup/vault/backups/*.tar.zst; do
[[ "$backup" == *"-prefix.tar.zst" ]] && continue
name=$(basename "$backup" .tar.zst)
~/termux-backup/termux-backup verify "$name" 2>&1 | grep -E "(β|β|FAILED)"
done
# 5. Check for suspicious processes
echo "[5/6] Checking for suspicious processes..."
ps aux | grep -E "(nc|netcat|reverse|bind)" | grep -v grep
# 6. Review recent logs
echo "[6/6] Reviewing recent log entries..."
grep -E "(ERROR|WARN|FAILED)" ~/termux-backup/vault/backup.log | tail -20
echo ""
echo "=== Audit Complete ==="Compliance
Data Protection
Β· GDPR: All data remains on-device, no external transmission Β· HIPAA: No PHI collection or transmission (suitable for development environments) Β· PCI-DSS: No payment data processing
Encryption Standards
Feature Algorithm Key Size Integrity SHA-256 256-bit Compression Zstandard N/A (lossless) Archive GNU tar N/A
Contact
Β· Security Issues: security@termux-vault.dev Β· General Questions: Open a GitHub Issue Β· Responsible Disclosure: See Reporting Process
Acknowledgments
We thank the following for their security contributions:
Β· The Termux development team Β· The Bash security community Β· All security researchers who responsibly disclose vulnerabilities
Changelog
Date Version Changes 2026-01-28 1.0.0 Initial security policy
π Security is not an afterthought. It's built into every line of code.
Report responsibly. Protect diligently. Backup religiously.
π How to Use This File
- Save as SECURITY.md in your repository root
- GitHub automatically detects and displays it in the Security tab
- Update contact email to your actual security contact
- Add to .github/SECURITY.md for organization-level policy (optional)
Quick Setup
# In your repository
cat > SECURITY.md << 'EOF'
[paste the content above]
EOF
# Commit and push
git add SECURITY.md
git commit -m "Add security policy"
git push origin mainThis will appear at: https://github.com/erfan1994/termux-backup/security/policy