If you discover a security vulnerability in xfr, please report it by opening a GitHub issue at:

https://github.com/lance0/xfr/issues

For sensitive vulnerabilities that should not be disclosed publicly, please email the maintainer directly.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Initial response: within 48 hours
• Status update: within 7 days
• Fix timeline: depends on severity

xfr is a network bandwidth testing tool. When running the server:

• The server accepts connections from any client by default
• Use --psk for pre-shared key authentication (HMAC-SHA256 challenge-response)
• Use --allow / --deny for IP-based access control lists
• Use --rate-limit to prevent abuse from individual IPs
• Consider firewall rules to restrict access
• Use --one-off mode for single-use testing

Important: QUIC encrypts traffic but uses self-signed certificates without server verification. This means QUIC alone does not protect against man-in-the-middle attacks. Always use PSK with QUIC on untrusted networks.

For encrypted + authenticated connections, use QUIC with PSK:

xfr serve --psk "secretkey"
xfr <host> -Q --psk "secretkey"

Use a strong, high-entropy PSK (16+ random characters) to prevent offline brute-force attacks.

When running the client:

• Only connect to trusted servers
• Use --psk when connecting to authenticated servers
• Use -Q (QUIC) for encrypted transport
• Be aware that bandwidth tests can saturate network links