We actively support the following versions of Blue CLI with security updates:
| Version | Supported |
|---|---|
| 1.x.x | β Yes |
| < 1.0 | β No |
We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security issues privately by:
- Email: Send details to [security@yourproject.com] (replace with actual email)
- GitHub Security Advisories: Use GitHub's private vulnerability reporting feature
- Encrypted Communication: Use our PGP key for sensitive information
When reporting a vulnerability, please include:
- Description: Clear description of the vulnerability
- Impact: Potential impact and attack scenarios
- Reproduction: Step-by-step instructions to reproduce
- Environment: Affected versions and configurations
- Proof of Concept: Code or screenshots (if applicable)
- Suggested Fix: If you have ideas for a fix
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 1 week
- Status Updates: Every week until resolved
- Fix Timeline: Depends on severity (see below)
| Severity | Description | Response Time |
|---|---|---|
| Critical | Remote code execution, privilege escalation | 24-48 hours |
| High | Data exposure, authentication bypass | 1 week |
| Medium | Limited data exposure, DoS | 2 weeks |
| Low | Information disclosure, minor issues | 1 month |
- Never share keystore files or private keys
- Use strong passwords for keystore encryption
- Store keystores in secure locations with proper file permissions
- Consider using hardware security modules (HSM) for production
- Use secure RPC endpoints (HTTPS)
- Verify SSL certificates
- Be cautious with custom RPC URLs
- Use VPN for remote database connections
- Use strong database passwords
- Enable SSL/TLS for database connections
- Regularly update database software
- Use SSH tunnels for remote connections
- Limit database user permissions
- Never commit sensitive configuration to version control
- Use environment variables for secrets
- Set proper file permissions on config files (600)
- Regularly rotate passwords and API keys
- Follow secure coding practices
- Validate all user inputs
- Use parameterized queries for database operations
- Implement proper error handling (don't leak sensitive info)
- Regular dependency updates
- Include security tests in CI/CD
- Test with various input combinations
- Validate error handling paths
- Test permission boundaries
- Private keys are stored encrypted on disk
- Keys are decrypted in memory only when needed
- Memory is cleared after use (where possible)
- Consider the security of your development environment
- Blue CLI requires file system access for keystores and configs
- Ensure proper file permissions on sensitive files
- Be aware of temporary files that may contain sensitive data
- All blockchain communications use HTTPS/WSS
- Database connections can be encrypted (recommended)
- SSH tunneling is supported for additional security
- Package and module metadata is stored in databases
- No private keys or sensitive user data is stored in databases
- Use database-level encryption for additional security
- GitHub Security Advisories
- Release notes
- NPM security advisories
- Project README updates
- Security patches are released as soon as possible
- Critical vulnerabilities get immediate patch releases
- Users are notified through multiple channels
- Detailed security advisories are published after fixes
- npm audit: Regular dependency vulnerability scanning
- CodeQL: Static analysis for security issues
- Dependabot: Automated dependency updates
- ESLint security rules: Code security linting
- Input validation testing
- Authentication/authorization testing
- Cryptographic function testing
- Network security testing
We encourage security researchers and the community to:
- Report vulnerabilities responsibly
- Contribute security improvements
- Share security best practices
- Participate in security discussions
We support responsible disclosure and will:
- Work with researchers to understand and fix issues
- Provide credit for responsible disclosure (if desired)
- Not pursue legal action for good-faith security research
This security policy covers:
- Blue CLI core functionality
- Official plugins and extensions
- Documentation and examples
- CI/CD and infrastructure
Remember: Security is a shared responsibility. Users must follow security best practices, and we commit to maintaining secure code and infrastructure.