Only the latest major version is supported with security updates.
| Version | Supported |
|---|---|
| 1.x | ✅ |
We take security seriously. If you discover a security vulnerability within the bot, please follow these steps:
- Do NOT disclose the issue publicly.
- Send an email to lelexthbest@gmail.com
- Include as much detail as possible: steps to reproduce, potential impact, and any suggested fix.
- You can expect an initial response within 48 hours.
We will work with you to validate and fix the issue, and will credit you in the release notes if desired.
The bot includes the following security features:
- Rate limiting – per‑user sliding window (5 commands per 10 seconds) prevents abuse.
- Input validation – all user inputs are sanitized before processing (Telethon/aiogram already handle basic sanitization).
- Auto‑moderation – configurable bad‑word filter and spam detection.
- Database protection – uses parameterized queries (SQLAlchemy) to prevent SQL injection.
- Secret management – for production, use SealedSecrets in Kubernetes to encrypt
BOT_TOKENand database passwords. - Webhook verification – if webhook mode is used, requests are validated with a secret token.
- Session isolation – each user session is isolated; no cross‑user data leakage.
Never commit .env files. Use environment variables for all secrets:
BOT_TOKEN– Telegram bot token (keep secret)DATABASE_URL– PostgreSQL connection string (contains password)REDIS_URL– Redis connection string
For non‑security issues, please use the GitHub issue tracker.
We follow the principle of responsible disclosure. After a fix is released, we will publicly acknowledge the reporter (if they wish).
Regularly update dependencies to patch known vulnerabilities. Run pip list --outdated and safety check (if installed) to monitor.