TelemetryFlow Collector (OTEL Collector - OCB Native)

We release patches for security vulnerabilities in the following versions:

We take the security of TelemetryFlow Core seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to:

• Security Team: security@telemetryflow.id
• Project Lead: support@telemetryflow.id

Please include the following information in your report:

• Type of vulnerability (e.g., SQL injection, XSS, authentication bypass)
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the vulnerability and how an attacker might exploit it

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: 1-7 days
  • High: 7-14 days
  • Medium: 14-30 days
  • Low: 30-90 days

• Security issues will be disclosed after a fix is available
• We will credit researchers who report vulnerabilities (unless they prefer to remain anonymous)
• We follow responsible disclosure practices

TelemetryFlow Collector uses govulncheck — the official Go vulnerability scanner powered by the Go Vulnerability Database. It performs call-graph analysis to determine whether your code actually invokes vulnerable code paths, not just whether vulnerable modules exist in go.sum.

flowchart TB
    subgraph Input["Input"]
        SRC["Go Source Code<br/>./..."]
        GOMOD["go.mod / go.sum"]
        DB["Go Vulnerability Database<br/>vuln.go.dev"]
    end

    subgraph Analysis["govulncheck Analysis"]
        PARSE["Parse Source<br/>& Build Call Graph"]
        SCAN["Scan Dependencies<br/>Against Vuln DB"]
        MATCH["Match Vulnerable<br/>Symbols"]
        TRACE["Trace Call Paths<br/>from Entry Points"]
    end

    subgraph Output["Results"]
        CALLED["Called Vulns<br/>YOUR CODE IS AFFECTED"]
        UNCALLED["Uncalled Vulns<br/>In deps but not invoked"]
        CLEAN["No Vulns Found<br/>All clear"]
    end

    SRC --> PARSE
    GOMOD --> SCAN
    DB --> SCAN
    PARSE --> MATCH
    SCAN --> MATCH
    MATCH --> TRACE
    TRACE --> CALLED
    TRACE --> UNCALLED
    TRACE --> CLEAN

    style CALLED fill:#ff6b6b,color:#fff
    style UNCALLED fill:#ffd93d,color:#333
    style CLEAN fill:#6bcb77,color:#fff

flowchart LR
    subgraph Called["Called (Action Required)"]
        C1["Code directly calls<br/>vulnerable function"]
        C2["Fix: Upgrade module<br/>or refactor code"]
    end

    subgraph Uncalled["Uncalled (Monitor Only)"]
        U1["Vulnerable module<br/>exists in go.sum"]
        U2["Your code does NOT<br/>call the vulnerable path"]
        U3["Fix: Optional upgrade<br/>to clean up report"]
    end

    C1 --> C2
    U1 --> U2 --> U3

    style Called fill:#ff6b6b,color:#fff
    style Uncalled fill:#ffd93d,color:#333

# Install govulncheck
go install golang.org/x/vuln/cmd/govulncheck@latest

# Run vulnerability scan (default - called vulns only)
make govulncheck

# Or run directly
govulncheck ./...

# Show verbose output (includes uncalled vulns)
govulncheck -show verbose ./...

# Scan specific package
govulncheck ./cmd/tfo-collector/...

# Scan build module
govulncheck -C build/ ./...

The make govulncheck target automatically installs govulncheck if not present:

## CI: Run govulncheck
govulncheck:
    @govulncheck ./...

flowchart TB
    subgraph Report["govulncheck Report"]
        SYMBOL["=== Symbol Results ===<br/>Vulnerabilities your code CALLS"]
        PACKAGE["=== Package Results ===<br/>Vulnerabilities in imported packages"]
        MODULE["=== Module Results ===<br/>All vulnerabilities in required modules"]
    end

    SYMBOL --> |"Count > 0"| FIX["ACTION REQUIRED<br/>Upgrade affected modules"]
    SYMBOL --> |"Count = 0"| CHECK_PKG["Check Package Results"]
    CHECK_PKG --> |"Count > 0"| REVIEW["REVIEW<br/>May need code changes"]
    CHECK_PKG --> |"Count = 0"| CHECK_MOD["Check Module Results"]
    CHECK_MOD --> |"Count > 0"| MONITOR["MONITOR<br/>Uncalled - track for updates"]
    CHECK_MOD --> |"Count = 0"| ALLCLEAR["ALL CLEAR<br/>No vulnerabilities"]

    style FIX fill:#ff6b6b,color:#fff
    style REVIEW fill:#ffd93d,color:#333
    style MONITOR fill:#87ceeb,color:#333
    style ALLCLEAR fill:#6bcb77,color:#fff

Example output:

=== Symbol Results ===

No vulnerabilities found.

Your code is affected by 0 vulnerabilities.
This scan also found 0 vulnerabilities in packages you import and 15
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.

flowchart TB
    START["govulncheck found<br/>a vulnerability"]
    TYPE{"Called or<br/>Uncalled?"}

    START --> TYPE

    TYPE --> |"Called"| C_SEVERITY{"Severity?"}
    C_SEVERITY --> |"Critical / High"| C_URGENT["Upgrade immediately<br/>go get module@latest"]
    C_SEVERITY --> |"Medium / Low"| C_SCHEDULE["Schedule upgrade<br/>in next sprint"]
    C_URGENT --> C_VERIFY["Run govulncheck again"]
    C_SCHEDULE --> C_VERIFY
    C_VERIFY --> C_DONE["Verify 0 called vulns"]

    TYPE --> |"Uncalled"| U_ASSESS["Assess risk:<br/>Will code call it in future?"]
    U_ASSESS --> |"Yes"| U_FIX["Upgrade dependency<br/>proactively"]
    U_ASSESS --> |"No"| U_TRACK["Track in issue<br/>for next release"]
    U_FIX --> U_DONE["Run govulncheck again"]
    U_TRACK --> U_DONE

    style C_URGENT fill:#ff6b6b,color:#fff
    style C_SCHEDULE fill:#ffd93d,color:#333
    style U_FIX fill:#87ceeb,color:#333
    style U_TRACK fill:#87ceeb,color:#333

flowchart LR
    subgraph PR["Pull Request"]
        LINT["make lint"]
        VET["make vet"]
        VULN["make govulncheck"]
        TEST["make test"]
    end

    LINT --> VET --> VULN --> TEST

    VULN --> |"Called vulns found"| BLOCK["Block PR<br/>Require fix"]
    VULN --> |"No called vulns"| PASS["Pass<br/>Allow merge"]

    style BLOCK fill:#ff6b6b,color:#fff
    style PASS fill:#6bcb77,color:#fff

Add to your CI pipeline:

- name: Vulnerability Check
  run: |
    go install golang.org/x/vuln/cmd/govulncheck@latest
    govulncheck ./...

Last scanned: May 2026 | Run make govulncheck for latest results.

Static Application Security Testing (SAST) using gosec:

# Run security scan (SARIF output)
make security

# Or run directly
gosec -no-fail -fmt sarif -out gosec-results.sarif ./...

flowchart TB
    subgraph Local["Local Development"]
        FMT["make fmt<br/>Format code"]
        LINT["make lint<br/>Lint code"]
        VET["make vet<br/>Code correctness"]
        VULN["make govulncheck<br/>Vuln scanning"]
        SEC["make security<br/>SAST (gosec)"]
        TEST["make test<br/>Run tests"]
    end

    subgraph CI["CI Pipeline"]
        CI_LINT["CI Lint"]
        CI_VULN["CI Vuln Check"]
        CI_SEC["CI Security Scan"]
        CI_TEST["CI Tests"]
        CI_IMG["Container Scan<br/>(Trivy)"]
    end

    FMT --> LINT --> VET --> VULN --> SEC --> TEST
    CI_LINT --> CI_VULN --> CI_SEC --> CI_TEST --> CI_IMG

    style VULN fill:#e74c3c,color:#fff
    style CI_VULN fill:#e74c3c,color:#fff

# Never commit .env files
echo ".env" >> .gitignore

# Use strong secrets
pnpm run generate:secrets

# Use strong passwords
POSTGRES_PASSWORD=<strong-random-password>
CLICKHOUSE_PASSWORD=<strong-random-password>

# Restrict database access
# Only allow connections from trusted IPs

# Use minimum 32 characters for secrets
JWT_SECRET=<min-32-chars-random-string>
SESSION_SECRET=<min-32-chars-random-string>

# Set appropriate expiration
JWT_EXPIRES_IN=24h  # Adjust based on your needs

# Always use NODE_ENV=production
NODE_ENV=production

# Disable debug logs
LOG_LEVEL=warn

# Enable HTTPS only
# Use reverse proxy (nginx/traefik) with SSL/TLS

Never commit:

• Passwords or API keys
• Private keys or certificates
• Database credentials
• JWT secrets
• Personal information

Always:

• Use environment variables for sensitive data
• Validate all user inputs
• Sanitize database queries
• Use parameterized queries (TypeORM handles this)
• Implement proper authentication and authorization

# Check for vulnerabilities
pnpm audit

# Fix vulnerabilities
pnpm audit fix

# Update dependencies regularly
pnpm update

All code changes must:

• Pass security review
• Include tests for security-critical features
• Follow OWASP security guidelines
• Be reviewed by at least one maintainer

• JWT-based authentication with secure token generation
• 5-tier RBAC system (Super Admin, Admin, Developer, Viewer, Demo)
• Permission-based access control with 22+ granular permissions
• Password hashing using Argon2 (industry standard)
• Session management with secure session secrets

• PostgreSQL for transactional data with row-level security
• ClickHouse for audit logs and observability data
• Encrypted connections between services
• Input validation using class-validator
• SQL injection prevention via TypeORM parameterized queries

• Audit logging for all critical operations
• OpenTelemetry tracing for request tracking
• Winston logging with structured logs
• Health checks for service monitoring

• Docker network isolation (172.151.151.0/24)
• Service-to-service communication on private network
• Exposed ports only for necessary services
• CORS configuration for API access control

No security vulnerabilities have been reported yet.

Security advisories will be published at:

• GitHub Security Advisories
• Project documentation
• Release notes

TelemetryFlow Core follows:

• OWASP Top 10 security guidelines
• CWE/SANS Top 25 vulnerability prevention
• NIST Cybersecurity Framework principles

Currently pursuing:

• SOC 2 Type II compliance
• ISO 27001 certification

• Email: security@telemetryflow.id
• Response Time: 48 hours

• Email: support@telemetryflow.id
• GitHub: @telemetryflow

We currently do not have a formal bug bounty program, but we:

• Acknowledge security researchers in release notes
• Provide public recognition for valid reports
• Consider monetary rewards for critical vulnerabilities (case-by-case basis)

Stay informed about security updates:

• GitHub Releases: Watch repository for releases
• Security Advisories: Enable GitHub security alerts
• Changelog: Check CHANGELOG.md
• Release Notes: Review docs/RELEASE_NOTES_*.md

# Check current version
cat package.json | grep version

# Update to latest version
git pull origin main
pnpm install

# Run migrations if needed
pnpm db:migrate

# Restart services
docker-compose restart

1. Read CONTRIBUTING.md
2. Review this security policy
3. Sign commits with GPG key (recommended)
4. Test security implications of your changes

# Sign commits
git commit -S -m "Your commit message"

# Run security checks
pnpm audit
pnpm lint
pnpm test

# Create pull request with security checklist

• No hardcoded secrets or credentials
• Input validation implemented
• SQL injection prevention verified
• XSS prevention implemented
• Authentication/authorization tested
• Error messages don't leak sensitive info
• Dependencies updated and audited
• Tests include security scenarios

• README.md - Project overview
• CONTRIBUTING.md - Contribution guidelines
• CODE_OF_CONDUCT.md - Community standards

• OWASP Top 10
• npm audit
• Snyk - Vulnerability scanning
• SonarQube - Code quality & security

• OWASP WebGoat
• PortSwigger Web Security Academy
• HackerOne Resources

We would like to thank the following security researchers for their contributions:

No security researchers have been acknowledged yet.

• Last Updated: May 25, 2026
• Version: 1.2.1
• Project: TelemetryFlow Collector

Built with ❤️ by Telemetri Data Indonesia