We release security updates for the following versions:
| Version | Supported |
|---|---|
| Latest | β |
| < Latest | β |
We strongly recommend using the latest version to ensure you have all security updates.
We take security vulnerabilities seriously. If you discover a security issue, please follow these guidelines:
DO NOT open a public issue for security vulnerabilities.
Instead, please report security vulnerabilities through one of these channels:
- Go to the repository's Security tab
- Click "Report a vulnerability"
- Fill out the advisory form with details
Send details to: security@nodewave.net
For sensitive disclosures, contact security@nodewave.net to request our PGP public key.
Please provide:
- Description: Clear description of the vulnerability
- Impact: What can be compromised and how severe
- Reproduction: Step-by-step instructions to reproduce
- Affected Versions: Which versions are affected
- Proof of Concept: Code or commands demonstrating the issue
- Suggested Fix: If you have ideas on how to fix it
- Credit: How you'd like to be credited (optional)
Title: SQL Injection in User Search API
Description:
The user search endpoint is vulnerable to SQL injection through the
'username' parameter.
Impact:
Attackers can execute arbitrary SQL commands, potentially accessing
or modifying all database data.
Severity: Critical
Affected Versions: v1.0.0 - v1.5.2
Reproduction Steps:
1. Send POST request to /api/users/search
2. Include payload: {"username": "admin' OR '1'='1"}
3. Observe that all users are returned
Proof of Concept:
curl -X POST https://example.com/api/users/search \
-H "Content-Type: application/json" \
-d '{"username": "admin'\'' OR '\''1'\''='\''1"}'
Suggested Fix:
Use parameterized queries or an ORM to prevent SQL injection.
We aim to respond according to the following timeline:
| Stage | Timeline |
|---|---|
| Initial Response | Within 48 hours |
| Triage & Validation | Within 7 days |
| Fix Development | Depends on severity |
| Fix Deployment | Coordinated disclosure |
| Public Disclosure | After fix is deployed |
| Severity | Response Time | Example |
|---|---|---|
| Critical | Fix within 7 days | Remote code execution, data breach |
| High | Fix within 30 days | Authentication bypass, privilege escalation |
| Medium | Fix within 90 days | XSS, CSRF, information disclosure |
| Low | Fix as able | Minor information leaks |
- Acknowledgment: We'll acknowledge receipt of your report
- Investigation: We'll investigate and validate the issue
- Fix Development: We'll develop and test a fix
- Coordination: We'll coordinate disclosure timing with you
- Release: We'll release the fix and security advisory
- Credit: We'll credit you in the advisory (if desired)
We follow coordinated disclosure:
- You report the vulnerability privately
- We work on a fix
- We release the fix
- We publish a security advisory
- Public disclosure happens after users can update
- We aim for disclosure within 90 days of initial report
- Critical vulnerabilities may be disclosed sooner
- We'll coordinate with you on timing
- Emergency patches may be released without advance notice
- Never commit secrets (API keys, passwords, tokens)
- Use environment variables for sensitive configuration
- Keep dependencies up to date
- Follow secure coding practices
- Run security scanners before submitting PRs
- Always use the latest version
- Keep dependencies updated
- Use strong authentication
- Enable two-factor authentication
- Follow principle of least privilege
- Monitor security advisories
Our projects include:
- β Automated dependency scanning (Dependabot)
- β CodeQL security analysis
- β Secret scanning
- β Container vulnerability scanning (Trivy)
- β Regular security audits
Recommended security measures:
- Use HTTPS/TLS for all communications
- Implement rate limiting
- Use secure session management
- Validate and sanitize all inputs
- Implement proper access controls
- Log security events
- Regular security updates
Security updates are announced through:
- GitHub Security Advisories
- Repository releases
- Organization discussions
- Email notifications to info@nodewave.net subscribers
# Check for updates
npm audit
# Apply security fixes
npm audit fix
# For breaking changes
npm audit fix --forceWe currently do not have a formal bug bounty program, but we greatly appreciate responsible disclosure of security vulnerabilities. Security researchers who report valid vulnerabilities will be credited in our security advisories and receive our sincere gratitude.
We recognize security researchers who have helped us:
- [List of credited researchers]
For security questions that aren't vulnerabilities:
- Open a GitHub Discussion
- Contact us at info@nodewave.net
For vulnerabilities, always use the private reporting channels above.
Thank you for helping keep our organization and community safe! π