We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
We recommend always using the latest version to ensure you have the most recent security updates.
If you discover a security vulnerability in redisctl, please report it privately to help us address it before public disclosure.
Please do NOT report security vulnerabilities through public GitHub issues.
- Email: Send details to the project maintainers via GitHub
- Include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any suggested fixes (if available)
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Updates: We will provide regular updates on our progress
- Timeline: We aim to release a fix within 90 days of the initial report
- Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)
When using redisctl:
- Credentials: Use the
--use-keyringflag withsecure-storagefeature to store credentials securely - Permissions: Store configuration files with restrictive permissions (e.g.,
chmod 600 ~/.config/redisctl/config.toml) - TLS: Always use HTTPS endpoints; only use
REDIS_ENTERPRISE_INSECURE=truefor testing - Environment Variables: Be cautious when using environment variables for credentials in shared environments
- Updates: Keep redisctl updated to the latest version
- Credentials stored in plain text configuration files are readable by any process with access to the file
- The
--insecureflag disables TLS certificate verification and should only be used in development - API keys and secrets in command-line arguments may be visible in process listings
For enhanced security, we recommend:
- Using the
secure-storagefeature for credential management - Configuring proper file system permissions
- Using environment variables or profiles instead of command-line flags for sensitive data