| Version | Supported |
|---|---|
| Latest (main branch) | ✅ |
If you discover a security vulnerability, please report it responsibly:
Email: security@apibase.pro
Do NOT:
- Open a public GitHub issue for security vulnerabilities
- Post vulnerability details in discussions or comments
What to include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Response time:
- Acknowledgment within 48 hours
- Assessment within 7 days
- Fix deployed within 30 days for critical issues
APIbase implements a 5-layer defense model:
- Network — Firewall (UFW), SSH hardening, TLS 1.3, fail2ban
- Application — API key auth, rate limiting (3-layer), input validation (Zod), CORS, security headers
- Infrastructure — Docker containers (read-only, non-root, cap_drop ALL), named volumes, secrets in .env only
- Payment — Escrow-first model, atomic settlement, append-only ledger, idempotency keys
- Monitoring — Prometheus (27 alert rules), Grafana dashboards, Loki log aggregation, daily automated testing
- x402 (USDC on Base): Escrow locked before provider call, auto-refund on failure, facilitator-verified settlements
- MPP (USDC on Tempo): Direct on-chain verification, HMAC-bound challenges, replay prevention via Redis
- No double charges: Idempotency key enforced at pipeline stage 2
- Append-only ledger: Financial records are never modified or deleted
- Daily automated tests via mcp-protocol-tester — 15 phases including security audit, payment security, SSRF/XSS/injection tests
- CI/CD checks on every push — lint, type check, build verification
- Third-party security harness — agent-security-harness score: 18/25 (72%), zero real vulnerabilities
We follow coordinated disclosure. Vulnerabilities will be patched before public disclosure. Credit will be given to reporters unless they prefer anonymity.