DDX for PostgreSQL — Security

REPORTING VULNERABILITIES

If you discover a security vulnerability in this service, please report it responsibly:

Issue:    open a security issue on codeberg.org/ddx/site
Language: English preferred

Public tracker; for high-severity embargoed disclosure, open an
issue saying "I have an embargoed disclosure and want a private
channel" and we'll respond with contact details.

We will acknowledge receipt within 48 hours and aim to provide a substantive response within 7 days.

SCOPE

In scope:

• The pg.ddx.io web application and API endpoints
• NNTP, IMAP, POP3, and SSH protocol implementations
• The MCP server endpoint
• Authentication bypass, injection, or data integrity issues
• TLS configuration weaknesses

Out of scope:

• Content of archived emails (these are public records mirrored from postgresql.org)
• Denial of service attacks (please don't test these)
• Social engineering
• Third-party services (Cloudflare, Exoscale, Codeberg)

SECURITY ARCHITECTURE

• All protocols are read-only — no user-submitted content is accepted
• No accounts, passwords, sessions, or authentication tokens exist
• No personal data is stored (see Privacy)
• TLS via Let's Encrypt with DNS-01 validation
• Rate limiting on all endpoints
• Fail2ban for brute-force protection
• NixOS with mandatory access controls and minimal attack surface

MACHINE-READABLE

For automated tools: /.well-known/security.txt (RFC 9116)