The Bambuddy team takes security seriously. We appreciate your efforts to responsibly disclose your findings.
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
Or use GitHub's private vulnerability reporting feature:
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the form with details
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Affected versions of Bambuddy
- Potential impact of the vulnerability
- Any suggested fixes (if you have them)
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Assessment: We will investigate and validate the issue within 7 days
- Updates: We will keep you informed of our progress
- Resolution: We aim to release a fix within 30 days for critical issues
- Credit: We will credit you in our release notes (unless you prefer to remain anonymous)
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
Bambuddy communicates with your printers over your local network using:
- MQTT over TLS (port 8883) - Encrypted printer communication
- FTPS (port 990) - Encrypted file transfers
- Run on trusted network: Bambuddy should only be accessible on your local network
- Use reverse proxy: If exposing to the internet, use a reverse proxy with HTTPS
- Keep updated: Always run the latest version for security patches
- Secure API keys: Treat API keys like passwords; don't share them publicly
- Developer Mode: Use your printer's Developer Mode access code; don't share it
- API key authentication for external access
- No default credentials
- Local-only by default (no cloud dependency)
- TLS encryption for printer communication
The following are in scope for security reports:
- Authentication/authorization bypasses
- Remote code execution
- SQL injection
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Sensitive data exposure
- Insecure direct object references
The following are out of scope:
- Issues in dependencies (report to the upstream project)
- Social engineering attacks
- Physical attacks
- Denial of service (DoS) attacks
- Issues requiring physical access to the server
We thank the following individuals for responsibly disclosing security issues:
No security issues have been reported yet.
Thank you for helping keep Bambuddy and its users safe!