We provide security updates for the following versions of NodePass:
| Version | Supported |
|---|---|
| Latest | ✅ |
NodePass implements multiple security layers:
- TLS Mode 0: Unencrypted mode for trusted networks (highest performance)
- TLS Mode 1: Self-signed certificates with TLS 1.3 (balanced security)
- TLS Mode 2: Custom certificate validation for enterprise security
- Password-based tunnel authentication
- Connection pooling with capacity limits
- Graceful degradation under load
- Configurable timeout and retry mechanisms
We take security seriously. If you discover a security vulnerability in NodePass, please report it responsibly.
- Email: [email protected]
- Subject: [SECURITY] Brief description of the issue
Please provide the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact and affected versions
- Your contact information for follow-up
- Any proof-of-concept code (if applicable)
- Acknowledgment: We will acknowledge receipt within 48 hours
- Assessment: Initial assessment within 5 business days
- Updates: Regular updates on investigation progress
- Resolution: Security patch and public disclosure coordination
- Please do not create public GitHub issues for security vulnerabilities
- Give us reasonable time to investigate and patch the issue
- We will coordinate public disclosure timing with you
- Security researchers will be credited in our security advisories
- Use TLS Mode 1 or 2 in production environments
- Choose strong passwords for tunnel authentication
- Keep NodePass updated to the latest version
- Monitor logs for suspicious activity
- Limit network exposure by binding to specific interfaces
- Use firewall rules to restrict access to tunnel ports
- Validate all inputs including URL parameters and network data
- Use secure coding practices following Go security guidelines
- Implement proper error handling without leaking sensitive information
- Test security features thoroughly before release
- Follow the principle of least privilege in code design
- TLS 1.3 encryption for secure data transmission
- Certificate validation and auto-reload capabilities
- Protection against common network attacks
- Input validation and sanitization
- Secure memory handling for sensitive data
- Proper resource cleanup and connection management
- Minimal container image based on scratch
- No unnecessary dependencies or services
- Clear separation of concerns between components
- Only use in completely trusted networks
- Not recommended for internet-facing deployments
- Provides maximum performance at the cost of encryption
- Secure the API endpoint with proper authentication
- Use reverse proxy for additional security layers
- Monitor API access and implement rate limiting
Security updates are released as:
- Patch releases for critical vulnerabilities
- Minor releases for security enhancements
- Documentation updates for security best practices
Subscribe to our release notifications:
Our core dependencies are maintained by the NodePassProject organization:
- cert: Certificate generation and management
- conn: Secure connection handling
- logs: Secure logging with sensitive data protection
- pool: Connection pool management with resource limits
- We minimize external dependencies
- All dependencies are regularly audited for security issues
- Updates are applied promptly when security issues are discovered
For security-related questions or concerns:
- Security Team: [email protected]
- General Issues: GitHub Issues
- Community: Telegram Group
We appreciate security researchers who help improve NodePass security. Contributors to our security will be acknowledged in:
- Security advisories
- Release notes
- Our contributors list
Note: This security policy applies to the NodePass core project. For security issues in ecosystem projects (NodePassDash, NodePanel, etc.), please refer to their respective repositories in the NodePassProject organization.