| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via:
- GitHub Security Advisories: Use the "Report a vulnerability" button in the Security tab
- Email: [security@your-domain.com] (replace with your contact)
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 1 week
- Resolution: Depends on severity
- Never commit secrets - Use environment variables or Key Vault
- Rotate tokens regularly - Especially bot tokens and API keys
- Use Managed Identity - Avoid API keys where possible
- Enable MFA - For all Azure accounts
- Review RBAC - Follow least-privilege principle
| Control | Implementation |
|---|---|
| Secrets Management | Azure Key Vault with Managed Identity |
| Transport Security | HTTPS-only, TLS 1.2+ enforced |
| Authentication | Entra ID + Managed Identity |
| Authorization | Azure RBAC, least-privilege |
| Content Safety | Pre-flight prompt filtering |
| Logging | Application Insights (no secrets logged) |
- All secrets stored in Key Vault
- No secrets in code or config files
- Managed Identity enabled for all services
- HTTPS enforced (HTTP disabled)
- Minimum TLS version set to 1.2
- RBAC configured with least privilege
- Application Insights configured (secrets excluded)
- Network access restricted where possible
- Content filtering is enabled by default
- Token caps prevent cost attacks
- Response caching may store sensitive data (configure TTL appropriately)
- Telegram: Token validation on every request
- Slack: Signature verification required
- Discord: Interaction signature verification
- Blob containers are private by default
- Shared access keys can be disabled (use Managed Identity)
- Enable soft delete for data recovery
We use Dependabot for automated security updates. Review and merge security PRs promptly.