| Version | Supported |
|---|---|
| 5.0.x | ✅ |
| 4.0.x | ❌ |
| 3.0.x | ❌ |
| 2.0.x | ❌ |
| 1.0.x | ❌ |
Only the latest major version receives security updates. Older versions are not maintained.
Please do not report security vulnerabilities through public GitHub issues.
- GitHub Security Advisory: Report via GitHub Security Advisories
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Resolution Timeline: Depends on severity
- We will investigate and validate the report
- We will work on a fix and coordinate disclosure
- You will be credited (unless you prefer anonymity)
When deploying BigBrotr, follow these recommendations:
# Use strong passwords
openssl rand -base64 32
# Restrict network access (pg_hba.conf)
# Only allow connections from application hosts
# Enable SSL for database connections
ssl = on
ssl_cert_file = '/path/to/server.crt'
ssl_key_file = '/path/to/server.key'# Protect .env files
chmod 600 .env
# Never commit .env files
# Use secrets management in production:
# - Docker secrets
# - HashiCorp Vault
# - AWS Secrets Manager# Firewall: Only expose necessary ports
# PostgreSQL: Internal only (no public access)
# PGBouncer: Internal only
# Tor: Internal only
# Use internal Docker networks
networks:
internal:
internal: true- Use non-root users in containers
- Keep base images updated
- Scan images for vulnerabilities
- Use read-only file systems where possible
BigBrotr archives public Nostr events. Be aware that:
- All stored data was publicly available on relays
- Event content may include sensitive information
- Consider data retention policies
When using Tor for .onion relays:
- Traffic is routed through Tor network
- Ensure Tor proxy is properly configured
- Monitor for unusual traffic patterns
- Use PGBouncer for connection pooling
- Implement connection limits
- Monitor for SQL injection (stored procedures help mitigate)
Security updates are released as patch versions (e.g., 5.0.1).
To stay informed:
- Watch the repository for releases
- Check CHANGELOG.md for security fixes
- Subscribe to GitHub security advisories
We thank the security researchers who help keep BigBrotr secure.