If you discover a security vulnerability in kappopher, please report it responsibly.

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Use GitHub's private vulnerability reporting
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Resolution Timeline: Depends on severity
  • Critical: 24-72 hours
  • High: 1-2 weeks
  • Medium: 2-4 weeks
  • Low: Next release cycle

Security issues we're interested in:

• Authentication/authorization bypasses
• Token leakage or exposure
• Injection vulnerabilities (SQL, command, etc.)
• Cross-site scripting (XSS) in any web components
• Denial of service vulnerabilities
• Race conditions leading to security issues
• Cryptographic weaknesses

• Issues in dependencies (report to the upstream project)
• Social engineering attacks
• Physical attacks
• Issues requiring unlikely user interaction

When using kappopher:

// DO: Use environment variables for secrets
clientID := os.Getenv("TWITCH_CLIENT_ID")
clientSecret := os.Getenv("TWITCH_CLIENT_SECRET")

// DON'T: Hardcode credentials
clientID := "abc123" // Never do this

Always verify EventSub webhook signatures:

handler := helix.NewEventSubWebhookHandler(webhookSecret)
// The handler automatically verifies signatures

When sharing caches across users, use context-aware cache keys:

// Use CacheKeyWithContext for multi-tenant applications
key := helix.CacheKeyWithContext(baseURL, endpoint, query, helix.TokenHash(userToken))

The library automatically sanitizes IRC messages to prevent injection:

// CR/LF characters are stripped from messages
client.Say(channel, userInput) // Safe - sanitized internally

This library includes several security features:

1. Webhook Signature Verification: All EventSub webhooks are verified using HMAC-SHA256
2. Body Size Limits: Webhook handlers limit request body size to 1MB
3. Timestamp Validation: Webhooks reject messages with future timestamps (with clock skew tolerance)
4. Message Deduplication: Prevents replay attacks on EventSub messages
5. Token Hashing: Cache keys use hashed tokens, never storing raw tokens
6. IRC Injection Prevention: CR/LF characters are sanitized from IRC messages
7. Thread-Safe Token Storage: All token operations use proper mutex synchronization

We use GitHub's Dependabot to monitor dependencies for known vulnerabilities. Security updates are prioritized and typically released within 48 hours of a CVE being published for a direct dependency.