This project is a single-script utility (vhc_simplifier.py) and does not follow a versioned release cycle. Security fixes are applied to the latest commit on main only.
| State | Supported |
|---|---|
Latest (main) |
✅ |
| Any prior commit | ❌ |
Recommendation: Always pull the latest version from
mainbefore running in production environments.
This tool parses and summarizes Veeam Health Check HTML/JSON reports. Security considerations relevant to this project include:
- Path traversal / arbitrary file read — malicious input file paths passed to the script
- Unsafe deserialization — processing of crafted/malformed Veeam report files
- Credential exposure — accidental logging or surfacing of sensitive data present in Veeam reports (e.g., repository names, job credentials, server hostnames)
- Dependency vulnerabilities — issues in packages listed in
requirements.txt - Code injection — any vector allowing execution of unintended code via report content
Out of scope: vulnerabilities in Veeam Backup & Replication itself, or issues requiring physical/administrative access to the host running this script.
Do not open a public GitHub issue for security vulnerabilities.
Please report security issues privately via one of the following:
- Email: security@cgfixit.com
- Web: https://cgfixit.com (use the contact form and mark subject as
[SECURITY])
To help triage effectively, please provide:
- A clear description of the vulnerability and its potential impact
- Steps to reproduce (include a sanitized/minimal sample report file if applicable)
- The environment details (OS, Python version, relevant dependencies from
requirements.txt) - Any suggested remediation, if you have one
| Milestone | Target Timeframe |
|---|---|
| Acknowledgment of report | Within 48 hours |
| Initial triage / severity rating | Within 5 days |
| Fix or mitigation published | Within 14 days |
| Public disclosure (if warranted) | After fix is live |
These are best-effort targets for a solo-maintained open-source project. Complex issues may take longer; you will be kept informed.
- Accepted vulnerabilities will receive a fix on
mainand a note in the commit message referencing the report (reporter credited by name/handle if desired). - Declined reports will receive a clear explanation of why the finding is out of scope or not actionable.
Dependencies are tracked in requirements.txt. It is recommended to:
pip install --upgrade -r requirements.txt
pip-audit -r requirements.txt # requires pip-auditReport any known CVEs in listed packages using the process above.
This project follows responsible disclosure. Public details of a confirmed vulnerability will not be released until a fix is available or a reasonable remediation window (14 days) has passed without resolution, whichever comes first.