If you discover a security vulnerability in Thunderbolt, please report it responsibly.

⚠️ Do NOT open a public GitHub issue for security vulnerabilities.

1. Email: Send a detailed report to saeid.babaei@outlook.com
2. GitHub Security Advisories: Use GitHub's private vulnerability reporting

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgement: Within 48 hours
• Initial Assessment: Within 1 week
• Fix & Disclosure: Coordinated with the reporter

The following are in scope for security reports:

• Authentication / authorization bypass
• Remote code execution
• Injection vulnerabilities (SQL, command, etc.)
• Sensitive data exposure (credentials, tokens)
• Denial of service in the cluster engine
• Plugin system sandbox escapes

• Vulnerabilities in third-party dependencies (report to the upstream project)
• Issues that require physical access to the server
• Social engineering attacks

When deploying Thunderbolt in production:

• Never commit API keys or secrets — use environment variables or a secret manager
• Enable JWT authentication (development mode disables auth)
• Use TLS for all inter-node and client communication
• Restrict Akka.NET cluster ports (8558) to internal networks only
• Configure network policies in Kubernetes to isolate the cluster
• Rotate InfluxDB tokens and PostgreSQL passwords regularly
• Review CORS settings — restrict AllowedOrigins to your dashboard domain