Skip to content

Security: AichaDigital/unblock

SECURITY.md

Security Policy

πŸ”’ Supported Versions

We actively support the following versions of Unblock with security updates:

Version Supported
1.0.x βœ…
< 1.0 ❌

🚨 Reporting a Vulnerability

Please DO NOT report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in Unblock, please report it privately to help us fix it before public disclosure.

How to Report

  1. GitHub Security Advisories (Preferred):

  2. Email (Alternative):

What to Include

When reporting a vulnerability, please include:

  • Type of vulnerability (e.g., SQL injection, XSS, authentication bypass)
  • Full paths of affected source files
  • Location of the affected code (tag/branch/commit)
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if available)
  • Impact of the vulnerability
  • Potential fix suggestions (if you have any)

What to Expect

  • Acknowledgment: We'll acknowledge your report within 48 hours
  • Updates: We'll send you updates about our progress every 5-7 days
  • Resolution: We aim to fix critical vulnerabilities within 30 days
  • Credit: We'll credit you in the security advisory (unless you prefer to remain anonymous)

Responsible Disclosure

We kindly ask that you:

  • βœ… Give us reasonable time to fix the vulnerability before public disclosure
  • βœ… Avoid exploiting the vulnerability beyond what's necessary to demonstrate it
  • βœ… Do not access, modify, or delete data belonging to others
  • βœ… Do not perform denial of service attacks

Our Commitment

We commit to:

  • βœ… Respond to your report promptly
  • βœ… Keep you informed about our progress
  • βœ… Credit you for responsible disclosure (if desired)
  • βœ… Release security updates as soon as possible

πŸ›‘οΈ Security Best Practices

When deploying Unblock, please follow these security best practices:

SSH Keys

  • βœ… Use restricted SSH keys with command wrappers
  • βœ… Never share private keys
  • βœ… Rotate keys every 6-12 months
  • βœ… Use ED25519 or RSA 4096-bit keys

Database

  • βœ… Use read-only MySQL users for WHMCS integration
  • βœ… Restrict database access by IP
  • βœ… Use SSL/TLS for database connections
  • βœ… Never commit .env files

Application

  • βœ… Keep Laravel and dependencies up to date
  • βœ… Use strong APP_KEY (Laravel auto-generates)
  • βœ… Enable HTTPS with valid SSL certificate
  • βœ… Configure proper file permissions (644 for files, 755 for directories)
  • βœ… Disable debug mode in production (APP_DEBUG=false)
  • βœ… Use secure session configuration (4-hour timeout)

Server

  • βœ… Keep CSF/firewall rules up to date
  • βœ… Monitor logs regularly
  • βœ… Use fail2ban or similar brute-force protection
  • βœ… Keep OS and packages updated

πŸ” Security Features

Unblock includes several security features:

  • IP Validation: All IP addresses are validated before processing
  • Command Sanitization: All SSH commands are sanitized
  • Audit Logging: All actions are logged with user and timestamp
  • Session Timeout: Automatic logout after 4 hours of inactivity
  • OTP Authentication: One-time password for secure login
  • Permission System: Granular access control for authorized users
  • GDPR Compliance: IP filtering ensures only exact matches are processed

πŸ“š Security Resources

πŸ† Hall of Fame

We thank the following security researchers for responsibly disclosing vulnerabilities:

No vulnerabilities reported yet


Thank you for helping keep Unblock and its users safe! πŸ™

There aren't any published security advisories