We actively maintain and provide security updates for the following versions of SpikeGuard:
| Version | Supported | Status |
|---|---|---|
| 1.0.x | β Current | Active security support |
- Email: Send details to security@bytebrush.dev
- PGP Key: Available at keybase.io/bytebrushstudios
- Response Time: We aim to respond within 48 hours
- Disclosure Timeline: Coordinated disclosure after fix is available
Subject: [SECURITY] SpikeGuard Vulnerability Report
**Vulnerability Type:**
[ ] Code Injection
[ ] Privilege Escalation
[ ] Information Disclosure
[ ] Denial of Service
[ ] Authentication Bypass
[ ] Other: ___________
**Component Affected:**
[ ] FXServer Lua Resource
[ ] Discord Bot
[ ] Configuration Files
[ ] Documentation
[ ] Other: ___________
**Severity Assessment:**
[ ] Critical (Remote code execution, data breach)
[ ] High (Privilege escalation, service disruption)
[ ] Medium (Information disclosure, local attacks)
[ ] Low (Minor information leakage)
**Description:**
[Detailed description of the vulnerability]
**Steps to Reproduce:**
1. [Step one]
2. [Step two]
3. [Step three]
**Proof of Concept:**
[Code, screenshots, or detailed explanation]
**Impact:**
[What an attacker could achieve]
**Suggested Fix:**
[If you have ideas for remediation]
**Credit:**
[How you'd like to be credited in advisories]
- File Operations: Status file writing and profiler dumps
- HTTP Requests: GitHub API version checking
- Console Commands: Admin command execution
- Memory Access: Performance data collection
-- Safe file operations with validation
local function SafeWriteFile(path, data)
if not path or type(path) ~= "string" then
return false, "Invalid file path"
end
-- Validate path to prevent directory traversal
if string.find(path, "%.%.") then
return false, "Path traversal detected"
end
local success, result = pcall(function()
return SaveResourceFile(GetCurrentResourceName(), path, data, -1)
end)
return success, result
end
-- Rate limiting for HTTP requests
local function CheckRateLimit()
local currentTime = GetGameTimer()
if currentTime - VersionManager.LastCheck < VersionManager.CheckCooldown then
return false
end
return true
end- No sensitive data stored in configuration
- All HTTP requests use HTTPS
- File operations restricted to resource directory
- Console commands require appropriate permissions
- Bot Token Exposure: Configuration file security
- Command Injection: User input in commands
- Data Validation: FXServer status data processing
- Permission Escalation: Role and channel access
// Input sanitization
function sanitizeServerName(input) {
if (!input || typeof input !== 'string') {
return 'Unknown Server';
}
// Remove potential injection characters
return input.replace(/[<>@#&]/g, '').substring(0, 100);
}
// Safe embed creation
function createSafeEmbed(data) {
const embed = new EmbedBuilder()
.setTitle(sanitizeServerName(data.serverName))
.setDescription(`Performance: ${parseFloat(data.memory || 0).toFixed(2)}MB`)
.setTimestamp();
return embed;
}
// Rate limiting
const rateLimits = new Map();
function checkRateLimit(userId, limit = 5, window = 60000) {
const now = Date.now();
const userLimit = rateLimits.get(userId) || { count: 0, resetTime: now + window };
if (now > userLimit.resetTime) {
userLimit.count = 0;
userLimit.resetTime = now + window;
}
userLimit.count++;
rateLimits.set(userId, userLimit);
return userLimit.count <= limit;
}- Bot token stored in separate config file
- Config file included in
.gitignore - Environment variable support for production
- Minimal required permissions requested
-- Production configuration
Config = {
-- Disable debug logging in production
debug = false,
-- Restrict profiler dump frequency
profilerCooldown = 300000, -- 5 minutes
-- Limit status file size
maxStatusFileSize = 1048576, -- 1MB
-- Secure file paths
statusPath = "data/status.json", -- No absolute paths
}// Production environment variables
const config = {
token: process.env.DISCORD_TOKEN,
clientId: process.env.CLIENT_ID,
guildId: process.env.GUILD_ID,
// Security headers for webhooks
webhookTimeout: 5000,
maxEmbedLength: 2048,
// Rate limiting
commandCooldown: 3000,
globalRateLimit: 100
};- Console commands require
command.spikeguardace permission - File operations restricted to resource directory
- No external network access except GitHub API
- Read-only access to server performance metrics
// Minimal required permissions
const requiredPermissions = [
PermissionFlagsBits.SendMessages,
PermissionFlagsBits.EmbedLinks,
PermissionFlagsBits.AttachFiles,
PermissionFlagsBits.ReadMessageHistory
];
// Avoid these dangerous permissions
const dangerousPermissions = [
PermissionFlagsBits.Administrator,
PermissionFlagsBits.ManageGuild,
PermissionFlagsBits.ManageRoles,
PermissionFlagsBits.ManageChannels
];- Performance Metrics: Memory usage, hitch detection, player count
- System Information: Server uptime, resource count
- No Personal Data: No player names, IPs, or personal information
- Local Only: All data stored locally on FXServer
- Temporary Files: Profiler dumps auto-cleaned after analysis
- No External Storage: No data sent to external services except GitHub API for version checking
-- Automatic cleanup configuration
Config.Cleanup = {
profilerRetentionDays = 7,
statusFileMaxAge = 86400, -- 24 hours
performanceHistoryLimit = 100 -- entries
}- Version Checking: Relies on GitHub API availability
- File System: Limited to FXServer resource directory
- Network Requests: Only HTTPS to api.github.com
- Console Access: Requires server console access for commands
- Graceful Degradation: System continues working if version check fails
- Input Validation: All user inputs are sanitized
- Error Handling: Comprehensive error catching prevents crashes
- Rate Limiting: Prevents abuse of HTTP requests and commands
- Added: Comprehensive input validation for all user inputs
- Added: Rate limiting for GitHub API requests
- Added: Safe file operations with path validation
- Added: Error handling for all external operations
- Security: Initial security audit completed
- Security: No known vulnerabilities at release
We thank the following researchers for responsible disclosure:
- No reports yet - be the first to help secure SpikeGuard!
- Email: security@bytebrush.dev
- PGP: keybase.io/bytebrushstudios
- Response Time: 48 hours maximum
- Languages: English
π‘οΈ Security is a shared responsibility. Thank you for helping keep SpikeGuard secure!
Last updated: July 25, 2025