This project supports security updates for the following versions:
| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.x.x | ❌ (End of life) |
We take the security of ReChain DAO seriously. If you believe you have found a security vulnerability, please report it to us as described below.
We prefer to receive vulnerability reports through private channels to allow us to address issues before they are publicly disclosed.
Please do NOT file a public issue for security vulnerabilities.
- Email: Send your report to [email protected]
- PGP Key: Use our PGP key for encrypted communication (available upon request)
- Response Time: We aim to acknowledge receipt within 24 hours and provide a more detailed response within 72 hours
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source files related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
As a PHP-based application, we prioritize the following security measures:
- Input Validation: All user inputs are validated and sanitized using PHP filter functions
- SQL Injection Prevention: Use of prepared statements with PDO for all database operations
- XSS Protection: Output escaping using htmlspecialchars() and Content Security Policy headers
- Session Security: Secure session handling with proper configuration
- File Upload Security: Strict validation of file uploads and proper storage
- MySQL database connections use SSL encryption where available
- Regular security audits of database permissions and access controls
- Sensitive data encryption at rest using industry-standard algorithms
- RESTful APIs implement proper authentication and authorization
- Rate limiting to prevent abuse
- Input validation for all API endpoints
- Secure token handling with proper expiration and revocation
- Follow PSR-12 coding standards
- Use static analysis tools (PHPStan, Psalm) to detect potential issues
- Regular code reviews with security focus
- Dependency scanning using Composer security audit
- Never commit sensitive information (API keys, database credentials) to version control
- Use environment variables for configuration
- Regular security updates for PHP and all dependencies
- Secure server configuration with proper file permissions
- Assessment: Immediately assess the severity and impact
- Containment: Implement temporary measures to mitigate risk
- Fix: Develop and test a permanent fix
- Communication: Notify affected users through appropriate channels
- Release: Deploy the fix and monitor for any issues
- Critical security fixes are released as soon as possible
- Regular security patches are included in scheduled releases
- All security updates are thoroughly tested before deployment
We believe in responsible disclosure and will:
- Credit security researchers who report vulnerabilities
- Work with reporters to coordinate public disclosure timelines
- Not take legal action against researchers who follow this policy
For security-related matters, please contact:
- Email: [email protected]
- PGP: Available upon request
We appreciate your help in keeping ReChain DAO secure for all users.