We actively support the following versions of Unblock with security updates:
| Version | Supported |
|---|---|
| 1.0.x | β |
| < 1.0 | β |
Please DO NOT report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in Unblock, please report it privately to help us fix it before public disclosure.
-
GitHub Security Advisories (Preferred):
- Go to https://github.com/AichaDigital/unblock/security/advisories/new
- Click "Report a vulnerability"
- Fill in the details
-
Email (Alternative):
- Send details to: abdelkarim@aichadigital.es
- Include "SECURITY - Unblock" in the subject line
When reporting a vulnerability, please include:
- Type of vulnerability (e.g., SQL injection, XSS, authentication bypass)
- Full paths of affected source files
- Location of the affected code (tag/branch/commit)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if available)
- Impact of the vulnerability
- Potential fix suggestions (if you have any)
- Acknowledgment: We'll acknowledge your report within 48 hours
- Updates: We'll send you updates about our progress every 5-7 days
- Resolution: We aim to fix critical vulnerabilities within 30 days
- Credit: We'll credit you in the security advisory (unless you prefer to remain anonymous)
We kindly ask that you:
- β Give us reasonable time to fix the vulnerability before public disclosure
- β Avoid exploiting the vulnerability beyond what's necessary to demonstrate it
- β Do not access, modify, or delete data belonging to others
- β Do not perform denial of service attacks
We commit to:
- β Respond to your report promptly
- β Keep you informed about our progress
- β Credit you for responsible disclosure (if desired)
- β Release security updates as soon as possible
When deploying Unblock, please follow these security best practices:
- β Use restricted SSH keys with command wrappers
- β Never share private keys
- β Rotate keys every 6-12 months
- β Use ED25519 or RSA 4096-bit keys
- β Use read-only MySQL users for WHMCS integration
- β Restrict database access by IP
- β Use SSL/TLS for database connections
- β
Never commit
.envfiles
- β Keep Laravel and dependencies up to date
- β
Use strong
APP_KEY(Laravel auto-generates) - β Enable HTTPS with valid SSL certificate
- β Configure proper file permissions (644 for files, 755 for directories)
- β
Disable debug mode in production (
APP_DEBUG=false) - β Use secure session configuration (4-hour timeout)
- β Keep CSF/firewall rules up to date
- β Monitor logs regularly
- β Use fail2ban or similar brute-force protection
- β Keep OS and packages updated
Unblock includes several security features:
- IP Validation: All IP addresses are validated before processing
- Command Sanitization: All SSH commands are sanitized
- Audit Logging: All actions are logged with user and timestamp
- Session Timeout: Automatic logout after 4 hours of inactivity
- OTP Authentication: One-time password for secure login
- Permission System: Granular access control for authorized users
- GDPR Compliance: IP filtering ensures only exact matches are processed
We thank the following security researchers for responsibly disclosing vulnerabilities:
No vulnerabilities reported yet
Thank you for helping keep Unblock and its users safe! π