| Version | Supported |
|---|---|
Latest release on main |
✅ |
| Older releases | ❌ — please update |
Do not open a public GitHub issue for security vulnerabilities.
Please report vulnerabilities privately via GitHub's built-in security advisory system:
- Go to the Security tab of this repository.
- Click "Report a vulnerability".
- Fill in the details — include steps to reproduce, affected component, and potential impact.
You will receive an acknowledgement within 5 business days. We aim to triage and respond with a remediation plan within 14 days of receiving a valid report.
The following are in scope for security reports:
- Relay confidentiality — any scenario where the relay could read or log message content
- Denial of service — abuse of rate limits or room exhaustion
- Room isolation — a client gaining access to a room they did not join
The following are out of scope:
- Vulnerabilities in third-party dependencies (report those upstream)
- Issues requiring physical access to the server
SemaBuzz Relay is designed with the following guarantees:
- Blind pass-through. The relay never reads, parses, logs, or stores message content. It forwards raw binary frames between paired peers only.
- No persistence. IP addresses and room tokens are held in memory only for the duration of an active session.
- Rate limiting. Connections per IP and rooms per IP are capped to limit abuse.