We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 0.0.x | ✅ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via one of the following methods:
Report vulnerabilities through GitHub's private vulnerability reporting:
- Go to https://github.com/ssahani/hyper2kvm/security/advisories
- Click "Report a vulnerability"
- Fill in the details
Send an email to: ssahani@redhat.com
Include the following information:
- Type of vulnerability
- Full paths of affected source files
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Response time: Within 48 hours
- Initial assessment: Within 1 week
- Fix timeline: Critical issues within 2 weeks, others within 4 weeks
- Disclosure: Coordinated disclosure after fix is available
hyper2kvm implements several security measures:
- Static Analysis: Bandit security scanning in CI
- Dependency Scanning: Dependabot and pip-audit
- Type Safety: MyPy type checking
- Code Review: All changes reviewed before merge
- Path Traversal Protection: All file paths validated (see
hyper2kvm/vmware/utils/vmdk_parser.py) - Command Injection Prevention: No shell=True in subprocess calls
- Input Validation: All user inputs sanitized
- TLS Verification: Certificate validation enforced for VMware/Azure connections
-
VMDK Parsing (CVE-like vulnerabilities prevented):
- Path traversal in extent paths blocked
- Maximum file size limits enforced
- Malicious descriptor detection
- See:
tests/unit/test_vmware/test_vmdk_security.py
-
SSH/Remote Operations:
- Host key verification required
- No password storage
- Timeout enforcement
-
Windows Registry Operations:
- Offline-only registry edits (libguestfs)
- Backup before modifications
- Validation after changes
-
Run with Least Privilege
# Don't run as root unless absolutely necessary sudo -u vmadmin hyper2kvm vsphere ... -
Network Security
# Use VPN/bastion for vSphere access # Verify TLS certificates hyper2kvm vsphere --verify-ssl ...
-
Credential Management
# Use environment variables, not command-line args export VCENTER_PASSWORD="..." hyper2kvm vsphere --username admin # Or use credential files with restricted permissions chmod 600 ~/.hyper2kvm/credentials.yaml
-
Audit Logging
# Enable detailed logging for audit trails hyper2kvm --log-level debug --log-file /var/log/hyper2kvm/migration.log ...
-
Pre-commit Hooks
pip install pre-commit pre-commit install
-
Security Scanning
make security # or hatch run security -
Dependency Updates
# Keep dependencies updated pip install --upgrade -r requirements.txt pip-audit
hyper2kvm requires libguestfs and qemu-img, which run with elevated privileges:
- Risk: Potential privilege escalation
- Mitigation: Only use trusted disk images, validate inputs
- Status: Inherent to offline VM manipulation
Credentials must be provided for vSphere operations:
- Risk: Credential exposure
- Mitigation: Use environment variables, vault integration
- Recommendation: Implement OAuth/token-based auth (planned)
Offline Windows registry modification:
- Risk: VM corruption if interrupted
- Mitigation: Automatic backups, atomic operations
- Status: Production-ready with safeguards
We perform regular security testing:
- SAST: Bandit, ruff security rules
- Dependency Scanning: pip-audit, Safety, Dependabot
- Vulnerability Database: CVE monitoring
- Penetration Testing: Community-driven (contributions welcome)
# Full security scan
make security
# Generate security report
hatch run security-audit
# Dependency audit
pip-audit --desc
# Check for secrets
detect-secrets scan --baseline .secrets.baselineWe recognize security researchers who responsibly disclose vulnerabilities:
For security inquiries: ssahani@redhat.com
For general support: https://github.com/ssahani/hyper2kvm/issues
This security policy is reviewed quarterly and updated as needed.
Last Updated: 2026-01-18