We actively support the following versions of the Zulip Standup Bot:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security seriously. If you discover a security vulnerability, please follow these guidelines:
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by:
- Email: Send details to ask@protomated.com
- Private GitHub Security Advisory: Use GitHub's private vulnerability reporting
- Encrypted Communication: Use our PGP key if you prefer encrypted communication
Please include the following information in your report:
- Description: A clear description of the vulnerability
- Impact: What an attacker could achieve by exploiting this vulnerability
- Reproduction Steps: Step-by-step instructions to reproduce the issue
- Environment: Version numbers, operating system, deployment method
- Proof of Concept: Code or screenshots demonstrating the vulnerability (if applicable)
- Suggested Fix: If you have ideas for how to fix the issue
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Initial Assessment: We will provide an initial assessment within 5 business days
- Regular Updates: We will provide updates every 5 business days until resolution
- Resolution: We aim to resolve critical vulnerabilities within 30 days
- We follow responsible disclosure practices
- We will coordinate with you on disclosure timing
- We will credit you in security advisories (unless you prefer to remain anonymous)
- We request that you do not publicly disclose the vulnerability until we have released a fix
The Zulip Standup Bot implements several security measures:
- API Key Security: Bot uses secure API key authentication with Zulip
- Scope Limitation: Bot only requests necessary permissions
- Channel Permissions: Respects Zulip's channel access controls
- Admin Commands: Administrative commands require appropriate permissions
- Minimal Data Storage: Only stores necessary standup data
- Data Encryption: Sensitive data encrypted in transit and at rest
- Data Retention: Automatic cleanup of old data (configurable)
- No PII Collection: Avoids collecting unnecessary personal information
- SQL Injection Prevention: Uses parameterized queries
- Command Validation: All user inputs are validated and sanitized
- Rate Limiting: Prevents abuse through command rate limiting
- Error Handling: Secure error handling prevents information disclosure
- HTTPS Only: All external communications use HTTPS
- Certificate Validation: Validates SSL certificates
- Timeout Handling: Proper timeout handling prevents resource exhaustion
- Connection Pooling: Secure database connection management
- Authentication: Strong authentication required
- Encryption: Connections encrypted with TLS
- Access Control: Database-level access controls
- Backup Security: Encrypted backups with secure storage
- File Permissions: Proper file system permissions
- WAL Mode: Uses WAL mode for better concurrency and reliability
- Path Validation: Validates database file paths
- Non-root User: Containers run as non-root user
- Minimal Base Images: Uses minimal Alpine Linux base images
- Security Updates: Regular base image updates
- Secret Management: Secure handling of environment variables
- Secret Management: Environment variables for sensitive data
- Configuration Validation: Validates all configuration at startup
- Log Security: Prevents logging of sensitive information
- Health Checks: Regular health monitoring
- Storage: Never commit API keys to version control
- Rotation: Regularly rotate API keys
- Scope: Use minimal necessary permissions
- Monitoring: Monitor API key usage for anomalies
- Credentials: Use strong, unique database credentials
- Network: Restrict database network access
- Backups: Secure backup storage and encryption
- Monitoring: Monitor database access and performance
- Updates: Keep all dependencies up to date
- Monitoring: Monitor for security vulnerabilities
- Access Control: Limit deployment access to authorized personnel
- Logging: Maintain security logs for audit purposes
- Dedicated Bot Account: Create a dedicated Zulip bot account
- Minimal Permissions: Grant only necessary permissions
- Regular Audits: Regularly audit bot permissions and access
- Monitor Activity: Monitor bot activity for anomalies
- Secure Hosting: Use secure, updated hosting environment
- Network Security: Implement proper network security measures
- Access Control: Limit access to bot configuration and data
- Regular Updates: Keep bot and dependencies updated
- Strong Passwords: Use strong database passwords
- Environment Variables: Use environment variables for secrets
- Configuration Review: Regularly review configuration
- Backup Security: Secure backup procedures
- Message Privacy: Bot can read all messages in channels where it's added
- Data Persistence: Standup data is stored persistently (with configurable retention)
- AI Integration: When enabled, standup summaries are sent to third-party AI services
- Channel Scope: Only add bot to channels where standup functionality is needed
- Data Retention: Configure appropriate data retention policies
- AI Privacy: Review AI service privacy policies if using AI summaries
- Regular Audits: Conduct regular security audits
We maintain a record of security vulnerabilities and their resolutions:
- No security vulnerabilities reported to date
For security-related questions or concerns:
- Email: ask@protomated.com
- Security Advisories: GitHub Security Advisories
- General Support: GitHub Issues (for non-security issues only)
This project follows:
- OWASP Guidelines: Web application security best practices
- Python Security: Python-specific security recommendations
- Docker Security: Container security best practices
- Data Protection: GDPR-compliant data handling (where applicable)
Thank you for helping keep the Zulip Standup Bot secure! 🔒