annoybots is released from main with semantic-versioned tags. Security fixes
land on the latest release; please test against the most recent vX.Y.Z (or
:latest) before reporting.
Please do not open a public issue for security vulnerabilities.
Report privately via GitHub's private vulnerability reporting (the repo's Security → Report a vulnerability tab). If you can't use that, email the maintainer at mrcupp@mrcupp.com.
Please include:
- a description of the issue and its impact,
- steps to reproduce (a minimal config or message sequence helps), and
- affected version / commit.
You'll get an acknowledgement, and a fix or mitigation will be coordinated before any public disclosure. This is a small solo-maintained project, so response is best-effort — thanks for your patience.
- Secrets (IRC/SASL passwords, Twitch/Discord tokens) are never stored in
configs or committed — they're injected via env vars from Kubernetes Secrets.
A finding that real credentials were committed is in scope; placeholder
templates (
secret.example.yaml,changemevalues) are not. - The admin console authenticates by verified identity (services account /
Discord ID / Twitch login) and is DM-only. The optional
!loginpassword fallback is nick-keyed and documented as weaker — auth-bypass beyond those documented limits is in scope.