Last Updated: 2026-03-09
FatTips takes security seriously. This document outlines our security practices and how to report vulnerabilities.
- Algorithm: AES-256-GCM
- Key Management: Master encryption key stored in environment variables only
- User Wallets: Each wallet encrypted with unique salt
- Discord Bot: Token-based authentication
- API: Per-user API keys with ownership validation
- Database: Limited-privilege database user
- Docker: Container isolation with resource limits
- Network: Internal Docker network, API bound to localhost
- Firewall: nftables with fail2ban integration
We provide security updates for the latest version only.
| Version | Supported |
|---|---|
| 0.2.x | β Supported |
| < 0.2 | β Not supported |
Please do NOT create a public GitHub issue for security vulnerabilities.
- Email: security@codestats.gg
- Discord: @brokechubb
- GitHub Security Advisories: Use the "Report a vulnerability" button
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Your contact information
- Initial Response: Within 48 hours
- Status Update: Within 1 week
- Resolution: Depends on severity (see below)
| Severity | Response Time | Resolution Time |
|---|---|---|
| Critical | 24 hours | 1 week |
| High | 48 hours | 2 weeks |
| Medium | 1 week | 1 month |
| Low | 2 weeks | 3 months |
- Never share your private key - FatTips will never ask for it
- Use secure passwords - For your Discord account
- Enable 2FA - On your Discord account
- Verify bot permissions - Only grant necessary permissions
- Report suspicious activity - Contact us immediately
- Never commit
.envfiles - Use.env.exampleas template - Rotate credentials regularly - Especially after team changes
- Use separate keys - Development vs Production
- Monitor logs - Watch for unusual activity
- Keep dependencies updated - Run
pnpm updateregularly
- Generate unique encryption keys - Never use examples
- Secure your database - Use strong passwords, limit access
- Enable firewall - Only expose necessary ports
- Regular backups - Encrypt and store securely
- Monitor resources - Watch for unusual CPU/memory usage
- β AES-256-GCM encryption for private keys
- β Unique salt per user
- β No plaintext keys in database
- β Ephemeral Discord responses for sensitive data
- β Docker network isolation
- β API rate limiting (60/min global, 10/min financial)
- β CORS configuration
- β Helmet.js security headers
- β Input validation (Zod)
- β SQL injection prevention (Prisma ORM)
- β Error handling without information leakage
- β Logging without sensitive data
- Generate unique
MASTER_ENCRYPTION_KEY - Use strong database password
- Enable firewall
- Set up monitoring
- Configure backups
- Test disaster recovery
- Update dependencies monthly
- Review logs weekly
- Check for security advisories
- Rotate API keys quarterly
- Test backups monthly
- Discord DMs are not E2EE - Private keys sent via DM are encrypted in transit but not end-to-end encrypted
- Custodial by design - While non-custodial (users own keys), the bot has access to encrypted keys
- Single point of failure - Master encryption key compromise affects all users
- Users can export keys and use external wallets
- Master key stored only in environment, never in code
- Regular security audits recommended
We appreciate responsible disclosure. Contributors who report valid security issues will be acknowledged here (with permission).
No reports yet - Be the first!
Security Team: security@codestats.gg
PGP Key: [Available upon request]
Response Time: Within 48 hours
License: MIT
Repository: https://github.com/brokechubb/FatTips