Skip to content

Security: VectoDE/VectoBeat

Security

Report a vulnerability

.github/SECURITY.md

VectoBeat Logo

Security & Responsible Disclosure

Enterprise-ready guidance for reporting vulnerabilities, shipping patches, and operating VectoBeat securely.

🔐 Supported Release Channels

Channel Examples Support Status
main Latest commit on main ✅ Full support
Tagged Releases vX.Y.Z semver tags announced in the README ✅ Supported until superseded
Forks / Custom Builds Self-maintained patches, private plugins ⚠️ Best-effort triage only

Reproducible reports must target the latest commit on main or the most recent supported tag. Heavily modified forks may require you to maintain your own patch.

🚨 Reporting Workflow

  1. Keep reports private. Do not open public issues or discussions for vulnerabilities.
  2. Contact the security desk:
  3. Provide actionable evidence:
    • Affected version, deployment method, and configuration snippets.
    • Step-by-step reproduction (slash commands, payloads, API calls).
    • Impact assessment (token leak, playback disruption, privilege escalation, etc.).
    • Logs or proof-of-concept scripts (sanitize secrets beforehand).
  4. Encrypt if needed. Request a secure upload location for large files or encrypted archives.

Response targets:

Severity Examples Ack SLA Fix / Advisory Target
Critical Token leakage, RCE, auth bypass < 24h < 7 days
High Privilege escalation, data exposure, playback outage across guilds < 48h < 14 days
Medium Information disclosure without secrets, DoS requiring unusual configuration < 72h < 30 days
Low Best-practice gaps, low-impact configuration bugs < 5 business days As scheduled

🧪 Reproduction & Verification Checklist

  • Capture the exact git commit SHA and bot build metadata.
  • List guild count, shard count, and hosting environment (Docker, bare metal, Kubernetes).
  • Share relevant `config.yml` excerpts and `.env` variables with secrets redacted.
  • Include Lavalink node version, enabled plugins, and whether SSL is enforced.
  • Attach sanitized Discord interaction IDs or trace IDs to correlate logs.

🛡️ Hardening Recommendations

Identity & Secrets

  • Rotate Discord tokens, Lavalink credentials, and Redis passwords at least quarterly.
  • Store secrets in a vault (1Password, AWS Secrets Manager, etc.) instead of `.env` committed files.
  • Enable Discord application presence and command auditing to detect unauthorized usage.

Infrastructure

  • Bind Lavalink and Redis to private networks; never expose unauthenticated ports to the internet.
  • Force TLS for Lavalink ↔️ bot communication when deploying across hosts.
  • Run `docker scan` or `trivy` on container images prior to promotion.

📦 Dependency & CI Hygiene

  • Dependabot (`.github/dependabot.yml`) raises weekly PRs for pip, Docker, and GitHub Actions ecosystems.
  • The `security` GitHub Actions workflow executes static analysis and dependency audits on every push.
  • When adding new dependencies, run pip install --upgrade -r requirements.txt, regenerate lock files if applicable, and capture the reasoning in your PR.

Thank you for partnering with us to keep the VectoBeat community safe.

There aren’t any published security advisories