Archive/nodepass/SECURITY.md

Security Policy

Supported Versions

We provide security updates for the following versions of NodePass:

Version	Supported
Latest	✅

Security Features

NodePass implements multiple security layers:

TLS Encryption Modes

• TLS Mode 0: Unencrypted mode for trusted networks (highest performance, no encryption)
• TLS Mode 1: Self-signed certificates with TLS 1.3 (balanced security, no verification)
• TLS Mode 2: Custom certificate validation with TLS 1.3 (enterprise security, full verification)

Network Security

• Password-based tunnel authentication
• Connection pooling with capacity limits
• Graceful degradation under load
• Configurable timeout and retry mechanisms

Reporting Security Vulnerabilities

We take security seriously. If you discover a security vulnerability in NodePass, please report it responsibly.

Where to Report

• Email: team@mail.nodepass.eu
• Subject: [SECURITY] Brief description of the issue

What to Include

Please provide the following information in your report:

1. Description of the vulnerability
2. Steps to reproduce the issue
3. Potential impact and affected versions
4. Your contact information for follow-up
5. Proof-of-concept code (if applicable)

Response Process

Our security response timeline:

1. Acknowledgment: We will acknowledge receipt within 48 hours
2. Assessment: Initial assessment within 5 business days
3. Updates: Regular updates on investigation progress
4. Resolution: Security patch and public disclosure coordination

Responsible Disclosure

We follow coordinated vulnerability disclosure:

• Please do not create public GitHub issues for security vulnerabilities
• Give us reasonable time to investigate and patch the issue
• We will coordinate public disclosure timing with you
• Security researchers will be credited in our security advisories

Security Best Practices

For Users

• Use TLS Mode 1 or 2 in production environments
• Choose strong passwords for tunnel authentication
• Keep NodePass updated to the latest version
• Monitor logs for suspicious activity
• Limit network exposure by binding to specific interfaces
• Use firewall rules to restrict access to tunnel ports

For Developers

• Validate all inputs including URL parameters and network data
• Use secure coding practices following Go security guidelines
• Implement proper error handling without leaking sensitive information
• Test security features thoroughly before release
• Follow the principle of least privilege in code design

Security Architecture

Network Layer

• TLS 1.3 encryption for secure data transmission
• Certificate validation and auto-reload capabilities
• Protection against common network attacks

Application Layer

• Input validation and sanitization
• Secure memory handling for sensitive data
• Proper resource cleanup and connection management

Operational Security

• Minimal container image based on scratch
• No unnecessary dependencies or services
• Clear separation of concerns between components

Known Security Considerations

TLS Mode 0 Usage

• Only use in completely trusted networks
• Not recommended for internet-facing deployments
• Provides maximum performance at the cost of encryption

Master API Security

• Secure the API endpoint with proper authentication
• Use reverse proxy for additional security layers
• Monitor API access and implement rate limiting

Security Updates

Security updates are released as:

• Patch releases for critical vulnerabilities
• Minor releases for security enhancements
• Documentation updates for security best practices

Subscribe to our release notifications:

• GitHub Releases
• Telegram Channel

Ecosystem Security

NodePassProject Libraries

Our core dependencies are maintained by the NodePassProject organization:

• cert: Certificate generation and management
• conn: Secure connection handling
• logs: Secure logging with sensitive data protection
• pool: Connection pool management with resource limits

Third-Party Dependencies

• We minimize external dependencies
• All dependencies are regularly audited for security issues
• Updates are applied promptly when security issues are discovered

Contact Information

For security-related questions or concerns:

• Security Team: team@mail.nodepass.eu
• General Issues: GitHub Issues
• Community: Telegram Group

Attribution

We appreciate security researchers who help improve NodePass security. Contributors to our security will be acknowledged in:

• Security advisories
• Release notes
• Our contributors list

---

Note: This security policy applies to the NodePass core project. For security issues in ecosystem projects (NodePassDash, NodePanel, etc.), please refer to their respective repositories in the NodePassProject organization.