Upgrade to the latest version for all fixes.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via:
- GitHub Private Vulnerability Reporting: Report a vulnerability (preferred)
- Email: lab137@yandex.ru
- Telegram: @addspin (private message)
- Type of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial response: within 48 hours
- Status update: within 7 days
- Fix timeline: depends on severity
| Severity | Description | Response |
|---|---|---|
| Critical | Remote code execution, auth bypass | Immediate fix |
| High | Data exposure, privilege escalation | Fix within 7 days |
| Medium | Limited impact vulnerabilities | Fix in next release |
| Low | Minor issues | Scheduled fix |
When deploying TLSS:
- Authentication - Do not use the configuration file to decrypt the encryption key. Use -
authConfig: false - Use HTTPS - Issue a server certificate using the service and include it in the configuration or use reverse proxies.
- Limit network access - Use firewall rules
- Regular updates - Keep TLSS updated to latest version
- Secure credentials - Use complex passwords and salt to encrypt the key.
I value any contribution to security and will credit security researchers who report real vulnerabilities in the release notes and changelog unless the reporter requests anonymity.