Use this section to tell people about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| 1.0.x | β |
| 0.9.x | β |
| 0.8.x | β |
| < 0.8 | β |
We take security vulnerabilities seriously. If you discover a security vulnerability in Beaver IM, please follow these steps:
- DO NOT create a public GitHub issue for the vulnerability
- DO NOT discuss the vulnerability in public forums or social media
- DO report it privately to our security team
Primary Contact:
- Email: 751135385@qq.com
- Subject:
[SECURITY] Beaver IM Vulnerability Report
Alternative Contact:
- QQ Group: 1013328597 (Private message to admin)
Please include the following information in your report:
## Vulnerability Report
**Title**: [Brief description of the vulnerability]
**Severity**: [Critical/High/Medium/Low]
**Component**: [Which part of the system is affected]
**Description**: [Detailed description of the vulnerability]
**Steps to Reproduce**:
1. [Step 1]
2. [Step 2]
3. [Step 3]
**Expected Behavior**: [What should happen]
**Actual Behavior**: [What actually happens]
**Environment**:
- Version: [Beaver IM version]
- OS: [Operating system]
- Database: [Database version]
- Other relevant details
**Impact**: [What could an attacker do with this vulnerability]
**Suggested Fix**: [If you have any suggestions]
**Additional Information**: [Any other relevant details]-
Multi-factor Authentication (MFA)
- Email verification codes
- SMS verification (optional)
- Biometric authentication support
-
JWT Token Management
- Secure token generation and validation
- Token refresh mechanism
- Token revocation on logout
-
Role-Based Access Control (RBAC)
- Granular permissions system
- Admin role management
- User permission validation
-
End-to-End Encryption
- Message encryption in transit (TLS 1.3)
- Message encryption at rest
- Secure key management
-
Password Security
- bcrypt hashing with salt
- Password strength requirements
- Account lockout protection
-
Data Privacy
- GDPR compliance features
- Data anonymization options
- User data export/deletion
-
Transport Layer Security
- TLS 1.3 encryption
- Certificate pinning
- Secure WebSocket connections
-
API Security
- Rate limiting and throttling
- DDoS protection
- Request validation and sanitization
-
Service Communication
- gRPC with TLS encryption
- Service-to-service authentication
- Secure service discovery
-
Container Security
- Docker image scanning
- Minimal base images
- Security patches and updates
-
Database Security
- Encrypted connections
- Prepared statements
- SQL injection prevention
-
Monitoring & Logging
- Security event logging
- Intrusion detection
- Audit trail maintenance
-
Code Security
- Regular security audits
- Dependency vulnerability scanning
- Secure coding guidelines
-
Testing
- Penetration testing
- Security unit tests
- Vulnerability scanning
-
Deployment
- Secure configuration management
- Environment isolation
- Access control implementation
-
Account Security
- Use strong, unique passwords
- Enable multi-factor authentication
- Regularly update your password
-
Device Security
- Keep your device updated
- Use antivirus software
- Avoid public Wi-Fi for sensitive operations
-
Data Protection
- Be cautious with shared information
- Report suspicious activities
- Use secure networks
- Initial Response: Within 24 hours
- Assessment: 1-3 business days
- Fix Development: 1-7 days (depending on severity)
- Testing: 1-3 days
- Release: Immediate for critical issues
- Private: Direct communication with reporter
- Public: Security advisory after fix is available
- CVE: Request CVE assignment for significant vulnerabilities
We would like to thank the security researchers and community members who have helped improve Beaver IM's security:
- Security Team: 751135385@qq.com
- Emergency Contact: QQ Group
- PGP Key: Security PGP Key
Thank you for helping keep Beaver IM secure! π