Currently supported versions of CMMS SCADA Excel Data Processor:

If you discover a security vulnerability in this project, please report it responsibly:

Instead, please report security issues via one of these methods:

1. GitHub Security Advisories (Preferred)

   • Go to the Security tab
   • Click "Report a vulnerability"
   • Provide detailed information about the vulnerability

2. Email (Alternative)

   • Send to: kiril.mt95@gmail.com
   • Subject: [SECURITY] CMMS-SCADA Vulnerability Report
   • Include:
     • Description of the vulnerability
     • Steps to reproduce
     • Potential impact
     • Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 1 week
• Fix Timeline: Depends on severity
  • Critical: Within 7 days
  • High: Within 30 days
  • Medium/Low: Next release

• We follow coordinated disclosure
• Security advisories will be published after fixes are released
• Credit will be given to reporters (unless anonymity is requested)

• ✅ Never commit Config.bas - Always verify it's in .gitignore
• ✅ Use strong passwords - Don't hardcode credentials
• ✅ Review XPath selectors - Ensure they point to correct elements
• ✅ Validate downloads - Check downloaded files before processing

• ✅ Use Windows Credential Manager - Secure storage for passwords
• ✅ Environment variables - For automation scenarios only
• ✅ Regular rotation - Change CMMS passwords periodically
• ✅ Clear credentials - Tool automatically clears after use

• ✅ Macro security - Set to "Disable all except digitally signed"
• ✅ Trusted locations - Only add your project folder
• ✅ Regular updates - Keep Excel and Windows updated
• ✅ Antivirus - Ensure up-to-date protection

• ✅ HTTPS only - Verify CMMS uses secure connections
• ✅ VPN - Use when accessing corporate systems remotely
• ✅ Network monitoring - Review logs for unusual activity

1. Selenium WebDriver - Requires Chrome and ChromeDriver

   • Keep both updated to latest versions
   • Tool includes auto-update script: Update-ChromeDriver.ps1

2. PowerShell Execution - Requires RemoteSigned policy

   • Only run scripts from trusted sources
   • Review scripts before execution

3. Excel Macros - VBA code execution required

   • Review code before importing modules
   • Verify source is official repository

• Config.bas being gitignored (intended security feature)
• Password prompts for each session (security by design)
• Chrome browser required (architectural decision)

Security patches will be released as:

• Patch versions (1.0.x) for minor security fixes
• Minor versions (1.x.0) for significant security improvements
• Documented in CHANGELOG.md when created

We appreciate security researchers who help keep this project secure:

Last Updated: October 8, 2025
Maintainer: Kiril Martinez Tamayo (@KirilMT)