We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 0.1.x | β |
The FerroTunnel project team takes security issues seriously. We appreciate your efforts to responsibly disclose your findings.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by email to:
Or, if you prefer, you can use GitHub's private vulnerability reporting feature:
- Go to the Security tab
- Click "Report a vulnerability"
- Fill in the details
Please include the following information in your report:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
This information will help us triage your report more quickly.
Remediation of security vulnerabilities is prioritized by the project team. The project team coordinates remediation with third-party stakeholders via GitHub Security Advisories.
Third-party stakeholders may include:
- The reporter of the issue
- Affected direct or indirect users of FerroTunnel
- Maintainers of upstream dependencies (if applicable)
Downstream project maintainers and FerroTunnel users can request participation in coordination of applicable security issues by sending your contact information to shahmitul005@gmail.com.
Please include:
- Contact email address
- GitHub username(s)
- Description of how you use FerroTunnel
- Any other relevant information
Participation in security issue coordination is at the discretion of the FerroTunnel team.
The project team is committed to transparency in the security issue disclosure process.
Security advisories will be published through:
- GitHub Security Advisories: FerroTunnel Security Advisories
- RustSec Advisory Database: Reported via
cargo-audit - GitHub Releases: Security fixes will be documented in release notes
- CHANGELOG.md: All security-related changes will be clearly marked
- Initial Response: Within 48 hours of report
- Status Update: Within 7 days of report
- Fix Timeline: Varies by severity (critical issues prioritized)
- Public Disclosure: Coordinated with reporter after fix is available
This project uses automated security scanning:
- cargo-audit: Checks for known vulnerabilities in dependencies
- cargo-deny: Validates licenses and bans problematic crates
These checks run on every pull request and push to main.
# Install tools
cargo install cargo-audit cargo-deny
# Run security audit
cargo audit
# Run license and dependency check
cargo deny checkWhen using FerroTunnel:
- Keep Updated: Always use the latest stable version
- TLS Configuration: Use strong TLS settings (v1.2+)
- Authentication: Use strong, unique tokens
- Network Security: Deploy behind firewalls and use network segmentation
- Monitoring: Enable logging and monitor for suspicious activity
- Dependencies: Regularly run
cargo auditto check for vulnerable dependencies
FerroTunnel is designed with security in mind:
- π No unsafe code:
unsafe_code = "forbid"at workspace level - π TLS by default: All tunnel traffic encrypted (when implemented)
- π« Token-based auth: Secure authentication system
- π Audit logging: Comprehensive activity logging
- π‘οΈ Input validation: All protocol messages validated
- β±οΈ Rate limiting: Protection against DoS attacks
Currently, FerroTunnel does not have a paid bug bounty program. However, we deeply appreciate security researchers who report vulnerabilities responsibly. We will publicly acknowledge reporters (with permission) in our security advisories and release notes.
We support safe harbor for security researchers who:
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service
- Only interact with accounts you own or for which you have explicit permission
- Contact us at shahmitul005@gmail.com if you encounter any user data during testing
- Do not exploit vulnerabilities beyond the minimum necessary to confirm their existence
We will not pursue legal action against researchers who follow these guidelines.
If you have any questions about this security policy, please contact shahmitul005@gmail.com.