This project is currently under active development. Security updates are provided for the latest version only.
| Version | Supported |
|---|---|
| Latest | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability in this project, please report it responsibly:
- Do not create a public issue for security vulnerabilities
- Email your findings to: admin@birdo.uk
- Provide detailed information including:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fixes (if any)
We will respond within 48 hours and keep you updated on our progress toward a fix.
- Strong password requirements (minimum 12 chars, complexity enforced)
- Multi-factor authentication for admin accounts
- JWT-based session management with short expiration
- Role-based access control (Owner/Admin/Pro/Basic levels)
- Rate limiting on authentication attempts
- Secure password reset mechanism
- TLS 1.3 enforced for all communications
- Certificate pinning for C2 connections
- IP whitelisting/blacklisting capabilities
- SYN flood protection and other DDoS mitigations
- Connection rate limiting
- All sensitive data encrypted at rest
- Secure credential storage using bcrypt
- Command signing with HMAC-SHA256
- Audit logging of all security-relevant events
- Challenge-response authentication for bots
- Secure heartbeat mechanism
- Automatic cleanup of inactive bots
- Anti-debugging techniques
- Persistence mechanisms
- Input validation for all commands
- Restricted attack methods per user level
- Private IP range blocking
- Attack duration limits
- Concurrent attack limits
- Regularly rotate API keys and JWT secrets
- Monitor audit logs for suspicious activity
- Keep server software updated
- Use firewall rules to restrict access
- Implement regular backups
- Never share your API keys or credentials
- Use strong, unique passwords
- Report suspicious activity immediately
- Log out after each session
- Regularly check your account activity
- The self-signed certificate option should only be used for testing
- The proxy component may be vulnerable to resource exhaustion attacks
- Some attack methods may be detectable by modern security systems
- The persistence mechanism may not work on all Linux distributions
Security patches are released as needed. Subscribe to our security announcements to receive notifications.