| Version | Supported |
|---|---|
| Latest release | Yes |
| Older releases | No |
We only provide security fixes for the latest release. Users should always update to the most recent version.
Please do not open a public GitHub issue for security vulnerabilities.
Instead, report vulnerabilities privately using one of these methods:
- GitHub Security Advisories (preferred): Use the Report a vulnerability button on this repository
- Email: Contact the maintainer directly at the email listed on the GitHub profile
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment within 72 hours
- We will work with you to understand and validate the issue
- A fix will be developed and released as soon as practical
- You will be credited in the release notes (unless you prefer otherwise)
The following are in scope:
- BBS server application (PHP)
- Agent code (
bbs-agent.py) - Authentication and authorization bypasses
- SSH key handling and encryption
- Command injection via user input
- Privilege escalation
The following are out of scope:
- Vulnerabilities in upstream dependencies (borg, MariaDB, Apache, etc.) — report these to the respective projects
- Issues requiring physical access to the server
- Social engineering