pgraft follows the same support policy as PostgreSQL:

We take the security of pgraft seriously. If you believe you have found a security vulnerability, please report it to us as described below.

• Open a public GitHub issue
• Discuss the vulnerability in public forums
• Create pull requests that might reveal the issue

• Email: Send a detailed report to security@pgelephant.com
• Include:
  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if you have one)
  • Your contact information

• Acknowledgment: We will acknowledge receipt within 24 hours
• Initial Assessment: We will provide an initial assessment within 5 business days
• Updates: We will provide updates on the status every 5 business days
• Resolution: We will work with you to resolve the issue and coordinate disclosure

When using pgraft in production:

• Keep PostgreSQL and pgraft updated to the latest versions
• Use strong passwords and SSL/TLS encryption
• Restrict network access to cluster nodes
• Follow PostgreSQL security hardening guidelines
• Monitor logs for suspicious activity
• Use firewall rules to limit access
• Regularly audit cluster configuration

• pgraft nodes communicate over TCP/IP for Raft consensus
• Consider using network isolation (VPN, private networks)
• Implement network-level encryption (TLS/SSL) if required

• Use PostgreSQL's role-based access control (RBAC)
• Limit who can use pgraft SQL functions
• Follow the principle of least privilege

• pgraft stores Raft state on disk
• Ensure proper file permissions on the data directory
• Regular backups of both PostgreSQL and pgraft state

Currently, pgraft:

• Does not implement TLS encryption for inter-node communication (use network-level encryption)
• Relies on PostgreSQL's authentication and authorization
• Does not implement its own authentication mechanism

• PostgreSQL Security Best Practices
• PostgreSQL pg_hba.conf Configuration