We actively support security updates for the following versions:
| Version | Supported |
|---|---|
| 0.5.x | ✅ |
| 0.4.x | ✅ |
| 0.3.x | ✅ |
| < 0.3 | ❌ |
We take the security of the IT8951 e-paper driver seriously. If you discover a security vulnerability, please report it responsibly.
GitHub provides a private vulnerability reporting mechanism for this repository:
- DO NOT create a public issue
- Navigate to the Security tab of this repository
- Click on "Report a vulnerability" button
- Fill out the vulnerability report form with:
- Type of vulnerability
- Steps to reproduce
- Potential impact
- Affected versions
- Suggested fix (if any)
This ensures your report stays private while we work on a fix.
If you're unable to use GitHub's private reporting feature, you can email: sjnims@gmail.com
When using GitHub's private vulnerability reporting:
- GitHub will notify repository maintainers of your report
- We'll collaborate directly in the security advisory
- You'll receive updates as we investigate and fix the issue
- We'll coordinate disclosure timing with you
- You'll be credited in the security advisory (unless you prefer anonymity)
For email reports:
- Acknowledgment: Within 48 hours
- Investigation: We'll validate and assess the issue
- Updates: Regular progress updates
- Fix: Coordinated patch and disclosure
- Credit: Recognition for responsible disclosure
This driver requires direct hardware access:
- SPI communication
- GPIO pin control
- Memory manipulation
Best Practices:
- Run with minimal required privileges
- Use appropriate user/group permissions
- Avoid running as root when possible
The driver validates all inputs:
- Image dimensions and formats
- Memory addresses
- VCOM voltage ranges
- Display coordinates
We regularly update dependencies for security:
- Monitor security advisories
- Use dependency scanning
- Update promptly when issues are found
Security measures in place:
- GitHub CodeQL analysis
- Type checking with pyright
- Comprehensive test coverage
- Code review for all changes
-
Memory Safety
- Buffer size validation
- Address range checking
- Proper memory alignment
-
Input Sanitization
- Image format validation
- Parameter range checking
- Type enforcement
-
Error Handling
- No sensitive data in errors
- Proper exception hierarchy
- Fail-safe defaults
-
Physical Security
- Secure physical access to hardware
- Protect SPI/GPIO connections
- Use proper enclosures
-
Software Security
- Keep Python updated
- Update dependencies regularly
- Use virtual environments
-
Application Security
- Validate user inputs
- Sanitize displayed content
- Handle errors gracefully
- SPI is not encrypted
- Physical access allows eavesdropping
- Use appropriate physical security
- E-paper retains images without power
- Clear sensitive information when done
- Consider privacy implications
- Mock mode is for development only
- Do not use in production
- No actual hardware security
Last security review: June 2025
- Dependency audit
- CodeQL analysis
- Input validation review
- Error handling review
- Security vulnerabilities: Use GitHub's private reporting or email sjnims@gmail.com
- General issues: GitHub Issues
- Questions: GitHub Discussions (if enabled)