We release patches for security vulnerabilities. Currently supported versions:

Note: Terminal Velocity has completed Phases 0-7 and is feature-complete for core gameplay. Security updates will be provided for the current development version.

The Terminal Velocity team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to:

contact@joshua-ferguson.com

Include the following information in your report:

• Type of vulnerability (e.g., SQL injection, authentication bypass, etc.)
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

This information will help us triage your report more quickly.

When you report a security issue, you can expect:

1. Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours.

2. Communication: We will send you regular updates about our progress addressing the issue.

3. Timeline: We aim to:

   • Confirm the problem and determine affected versions within 7 days
   • Release a fix within 30 days of confirmation
   • Credit you in the security advisory (if desired)

4. Disclosure: We follow a coordinated disclosure process:

   • We will work with you to understand and resolve the issue
   • We will not disclose the issue until a fix is available
   • We will credit you in our release notes (unless you prefer to remain anonymous)

We prefer all communications to be in English.

If you're running a Terminal Velocity server, we recommend:

• Use strong host keys: Generate new ED25519 host keys, don't use default keys
• Limit connections: Configure firewall rules to restrict SSH access
• Monitor logs: Regularly review SSH connection logs for suspicious activity
• Rate limiting: Implement connection rate limiting to prevent brute force attacks
• Keep updated: Always run the latest version with security patches

• Use strong passwords: Generate secure passwords for PostgreSQL users
• Network isolation: Run PostgreSQL on localhost or private network only
• Regular backups: Backup your database regularly and test restoration
• Least privilege: Grant minimal required permissions to database users
• Update regularly: Keep PostgreSQL updated with security patches

• Environment variables: Never commit sensitive credentials to Git
• Input validation: The game validates all user input, but review logs for anomalies
• Session management: Session tokens are cryptographically secure
• Dependency updates: Keep Go modules updated (use go get -u ./...)

# Example: Run server with limited permissions
useradd -r -s /bin/false terminalvelocity
chown terminalvelocity:terminalvelocity /opt/terminal-velocity
sudo -u terminalvelocity ./terminal-velocity

# Use systemd service for automatic restart and logging
systemctl enable terminal-velocity
systemctl start terminal-velocity

• Use a firewall: Only expose SSH port (default 2222)
• Consider VPN: For private servers, use a VPN for access control
• DDoS protection: Use services like Cloudflare or similar if running publicly
• Monitor traffic: Watch for unusual connection patterns

Terminal Velocity has completed Phases 0-7 and is feature-complete for core gameplay. Some security features are not yet implemented:

• ⚠️ Password reset functionality (planned for future)
• ⚠️ Two-factor authentication (planned for future)
• ⚠️ Encrypted player data at rest (planned for future)

• ✅ Bcrypt password hashing
• ✅ Secure session token generation
• ✅ SQL injection prevention (parameterized queries)
• ✅ Input validation and sanitization
• ✅ Protection against path traversal
• ✅ Safe concurrency primitives (sync.RWMutex throughout)
• ✅ Role-Based Access Control (RBAC) with 4 admin roles and 20+ permissions
• ✅ Audit logging (10,000 entry buffer for admin actions)
• ✅ Rate limiting for connections
• ✅ Session management with auto-persistence
• ✅ Server-authoritative architecture (no client-side saves)
• ✅ Moderation tools (ban/mute with expiration tracking)

Planned security improvements:

1. OAuth/SSO integration - Phase 3+
2. End-to-end encryption for player communications - Phase 3+
3. Advanced intrusion detection - Phase 3+
4. Automated security scanning in CI/CD - In progress
5. Penetration testing - Before public release
6. Bug bounty program - After v1.0 release

Security updates will be announced through:

1. GitHub Security Advisories: https://github.com/JoshuaAFerguson/terminal-velocity/security/advisories
2. Release Notes: Security fixes will be clearly marked in release notes
3. Git Tags: Security releases will be tagged with patch version bumps

Subscribe to repository notifications to stay informed about security updates.

We follow these principles:

• Coordinated Disclosure: We work with reporters to validate and fix issues before public disclosure
• Transparency: Once fixed, we publicly disclose vulnerabilities with credit to reporters
• No Legal Action: We will not pursue legal action against security researchers who follow this policy
• Recognition: We maintain a security hall of fame for researchers who help us

Contributors who have responsibly disclosed security issues:

No entries yet - be the first to help secure Terminal Velocity!

The following are in scope for security reports:

• SSH authentication bypass
• SQL injection vulnerabilities
• Remote code execution
• Privilege escalation
• Session hijacking
• Denial of service (critical only)
• Information disclosure
• Cross-site scripting (if web interface is added)

The following are out of scope:

• Social engineering
• Physical attacks
• Issues in third-party dependencies (report to the dependency maintainers)
• Denial of service through resource exhaustion (expected in multiplayer games)
• Issues requiring physical access to the server
• Reports from automated tools without validation

For security concerns, contact:

Email: contact@joshua-ferguson.com PGP Key: (To be added in future release)

For general questions, use GitHub Issues.

• OWASP Top 10
• Go Security Best Practices
• PostgreSQL Security
• SSH Hardening Guide

Last Updated: 2025-01-07 Version: 0.7.0 (Phases 0-7 Complete - Feature Complete)

Thank you for helping keep Terminal Velocity secure!