VLESS Worker takes security seriously. This document outlines our security policies, how to report vulnerabilities, and best practices for secure deployment.
We provide security updates for the following versions:
| Version | Supported | Status |
|---|---|---|
| 3.x.x | ✅ Yes | Active development |
| 2.x.x | Security fixes only | |
| 1.x.x | ❌ No | End of life |
🚫 DO NOT create public GitHub issues for security vulnerabilities.
Instead, please report security vulnerabilities through one of these methods:
- Go to our GitHub repository
- Navigate to Security tab → Advisories
- Click Report a vulnerability
- Fill out the security advisory form
Send an email to: security@vless-worker.dev
- Use subject:
[SECURITY] Vulnerability Report - Include detailed description and steps to reproduce
- Attach any proof-of-concept code or screenshots
For highly sensitive reports, use our PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[PGP Key would be here in real implementation]
-----END PGP PUBLIC KEY BLOCK-----
Please include as much information as possible:
**Vulnerability Type**: [e.g., Authentication bypass, Code injection, etc.]
**Affected Components**: [e.g., WebSocket handler, UUID validation, etc.]
**Severity Assessment**: [Critical/High/Medium/Low]
**Attack Scenario**:
Describe how an attacker could exploit this vulnerability
**Steps to Reproduce**:
1. Step one
2. Step two
3. Step three
**Expected Impact**:
What could an attacker achieve?
**Proof of Concept**:
Code, screenshots, or detailed technical explanation
**Suggested Fix**:
If you have ideas for how to fix the issue
**Disclosure Timeline**:
Your preferred timeline for disclosureWe commit to the following response times:
| Severity | Initial Response | Investigation | Fix & Release |
|---|---|---|---|
| Critical | < 24 hours | < 72 hours | < 1 week |
| High | < 48 hours | < 1 week | < 2 weeks |
| Medium | < 1 week | < 2 weeks | < 1 month |
| Low | < 2 weeks | < 1 month | Next release |
- UUID Validation: Cryptographically strong UUID validation
- Protocol Authentication: VLESS protocol-level authentication
- No Default Credentials: All UUIDs must be explicitly configured
- TLS 1.3: Latest TLS version with perfect forward secrecy
- AEAD Encryption: Authenticated encryption with associated data
- Certificate Validation: Strict certificate validation
- HSTS Headers: HTTP Strict Transport Security enabled
- WebSocket Security: Secure WebSocket (WSS) connections only
- DNS over HTTPS: Secure DNS resolution to prevent DNS hijacking
- IP Filtering: Built-in IP validation and filtering
- Rate Limiting: Cloudflare's built-in DDoS protection
- Input Validation: Comprehensive input validation and sanitization
- Error Handling: Secure error handling without information disclosure
- Memory Safety: JavaScript runtime provides memory safety
- Sandboxing: Cloudflare Workers runtime sandboxing
- Workers run with minimal required permissions
- No access to sensitive Cloudflare account data
- Isolated execution environment
- Multiple layers of security controls
- Protocol-level and application-level security
- Network and transport layer protection
- No implicit trust of network traffic
- Every connection is authenticated and encrypted
- Continuous validation of connections
// ✅ GOOD: Use cryptographically secure UUIDs
const userIDs = [
'f47ac10b-58cc-4372-a567-0e02b2c3d479',
'e9e3cc13-db48-4cc1-8c24-7626439a5339'
];
// ❌ BAD: Don't use predictable or weak UUIDs
const userIDs = [
'12345678-1234-1234-1234-123456789012',
'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee'
];# ✅ GOOD: Store sensitive config in environment variables
wrangler secret put ADMIN_UUID
wrangler secret put API_TOKEN
# ❌ BAD: Don't hardcode secrets in _worker.js
const adminUUID = 'hardcoded-uuid-here';# ✅ GOOD: Use custom domains with proper DNS setup
route = { pattern = "vless.yourdomain.com/*", zone_name = "yourdomain.com" }
# ⚠️ ACCEPTABLE: Workers.dev domains (less optimal for security)
name = "vless-worker"// ✅ GOOD: Use reputable CDN endpoints
const proxyIPs = [
'cdn.cloudflare.com',
'workers.cloudflare.com'
];
// ❌ BAD: Don't use untrusted or suspicious IPs
const proxyIPs = [
'192.168.1.1',
'suspicious-domain.com'
];- Enable Cloudflare Analytics
- Monitor for unusual traffic patterns
- Set up alerts for failed authentication attempts
- Regular security audits of configuration
// ✅ GOOD: Log security events without sensitive data
console.log('Authentication failed for UUID ending in:', uuid.slice(-4));
// ❌ BAD: Don't log sensitive information
console.log('Authentication failed for UUID:', uuid);- Cloudflare Workers Runtime: Automatically updated by Cloudflare
- TLS Certificates: Automatically managed by Cloudflare
- Security Patches: Applied through GitHub Actions deployment
- Dependencies: Update Node.js dependencies regularly
- UUID Rotation: Rotate UUIDs periodically for enhanced security
- ProxyIP Updates: Review and update ProxyIP lists
- [ ] All UUIDs are cryptographically secure
- [ ] No sensitive data in code or logs
- [ ] TLS is properly configured
- [ ] Custom domain is properly configured (if used)
- [ ] Environment variables are used for secrets
- [ ] Regular security audits are performed
- [ ] Monitoring and alerting are configured
- [ ] Backup and recovery procedures are tested-
Detection & Assessment (0-1 hour)
- Identify the security incident
- Assess severity and impact
- Activate response team
-
Containment (1-4 hours)
- Stop the attack if ongoing
- Preserve evidence
- Prevent further damage
-
Eradication (4-24 hours)
- Remove the threat
- Apply security patches
- Update configurations
-
Recovery (24-72 hours)
- Restore affected services
- Monitor for residual issues
- Validate security measures
-
Post-Incident (1-2 weeks)
- Document lessons learned
- Update security procedures
- Communicate with users
- Internal: Security team → Development team → Management
- External: Security advisory → GitHub release → User notification
- Transparency: Public disclosure after fix is available
- Static Analysis: ESLint with security plugins
- Dependency Scanning: npm audit
- Vulnerability Database: GitHub Security Advisories
- Penetration Testing: Regular security assessments
- Lead Security Engineer: security-lead@vless-worker.dev
- Security Team: security@vless-worker.dev
- Emergency Contact: emergency@vless-worker.dev (24/7)
We welcome responsible disclosure from security researchers:
- Bug Bounty: Not currently available (may be added in future)
- Acknowledgments: Security researchers will be acknowledged in releases
- Coordination: We work with researchers on disclosure timing
We thank the following security researchers for their responsible disclosure:
| Researcher | Vulnerability | Severity | Date |
|---|---|---|---|
| None reported yet | - | - | - |
Your name could be here! Report a security vulnerability responsibly.
This security policy is provided for informational purposes and does not create any legal obligations. VLESS Worker is provided "as is" without any warranties. Users are responsible for their own security assessments and implementations.
For questions about this security policy, please contact: security@vless-worker.dev
Last Updated: January 17, 2024 Policy Version: 1.0