🛡️ Security
Responsible Disclosure Policy · Automated Scan Results · Hall of Fame
📨 Report a Vulnerability
เราชื่นชม Security researchers ที่ทดสอบระบบของเราอย่างมีจรรยาบรรณ — กรุณาแจ้งช่องโหว่ผ่านช่องทางต่อไปนี้:
📊 Scope & Rules
✅ In Scope
https://rabbitxai.com/* — Productionhttps://tamnoua.rabbitxai.com/* — Demo brand- LINE OA webhook integration
- Authentication / Session management / 2FA
- PII handling (lead phone/email encryption)
- Admin Dashboard, Platform Admin
❌ Out of Scope
- Social engineering of staff
- Physical access attempts
- DDoS / load testing
- Spam / phishing of staff accounts
- 3rd-party services (LINE Messaging API, OpenAI)
- Self-XSS or issues requiring physical device access
⏱ Response SLA
| Severity | Initial Response | Fix Target |
|---|
| Critical | 4 hours | 24 hours |
| High | 24 hours | 7 days |
| Medium | 3 days | 30 days |
| Low | 7 days | 90 days |
🚫 Please DO NOT:
ทดสอบบนบัญชีที่ไม่ใช่ของคุณ · เข้าถึง/แก้ไข/exfiltrate ข้อมูลลูกค้า ·
ทำให้ service ขัดข้อง · เปิดเผย finding ก่อนได้รับ approval
🔬 Automated Scan Results
Last automated scan: 19 พฤษภาคม 2569 09:00 UTC
HTTP Security Headers
| Header | Status | Value |
|---|
| Strict-Transport-Security | ✓ PASS | max-age=31536000 |
| X-Frame-Options | ✓ PASS | SAMEORIGIN |
| X-Content-Type-Options | ✓ PASS | nosniff |
| Content-Security-Policy | ✓ PASS | 9 directives configured |
| Referrer-Policy | ✓ PASS | strict-origin-when-cross-origin |
| Permissions-Policy | ✓ PASS | geo/mic/cam disabled |
| X-Powered-By | ✓ HIDDEN | (disabled) |
TLS / SSL
| Check | Status | Detail |
|---|
| Protocol | ✓ A+ | TLS 1.3 only · TLS 1.2 supported · TLS 1.0/1.1 disabled |
| Cipher | ✓ A+ | TLS_AES_256_GCM_SHA384 (modern ciphers only) |
| Certificate | ✓ Valid | Let's Encrypt · expires Aug 2026 · auto-renew |
| HSTS Preload | ⏳ Pending | Eligible · submit to hstspreload.org |
Dependency Vulnerabilities (npm audit)
| Severity | Count | Status |
|---|
| Critical | 0 | ✓ Clean |
| High | 0 | ✓ Clean |
| Medium | 0 | ✓ Clean |
| Low | 0 | ✓ Clean |
Open Ports (External Scan)
| Port | Service | Access |
|---|
| 22/TCP | SSH | 🔒 Key-auth + Fail2ban |
| 80/TCP | HTTP | 🔓 Redirect to 443 |
| 443/TCP | HTTPS | 🔓 Public (nginx + SSL) |
Other ports (3001/3002/3306/5432/etc.) — bound to 127.0.0.1 only, blocked by UFW.
Authentication / Session
| Check | Status |
|---|
| Password hashing | ✓ scrypt (Node native, stronger than bcrypt) |
| Session storage | ✓ DB-backed · 7-day TTL |
| 2FA support | ✓ TOTP (RFC 6238) · backup codes |
| Rate limiting | ✓ Login + Webhook + Forms + Admin (8 endpoints) |
| Legacy bypass | ✓ ALLOW_LEGACY_TOKEN=false |
| Brute-force protection | ✓ Fail2ban active (22 IPs banned) |
Data Protection (PDPA)
| Check | Status |
|---|
| PII Encryption infrastructure | ✓ AES-256-GCM + HMAC-SHA256 |
| Right to access | ✓ POST /api/privacy/erase-request |
| Audit logging | ✓ Platform + Brand level |
| Auto-anonymize | ✓ 12-month retention |
| Cookie consent | ✓ Banner + opt-in only |
🏆 Hall of Fame
เราขอบคุณ Security researchers ที่ช่วยให้ระบบเราปลอดภัยขึ้น:
ยังไม่มี researchers ในรายชื่อ — เป็นคนแรกได้!
📑 Past Reports & Audits
| Date | Type | Findings | Status |
|---|
| 19 พ.ค. 2569 |
Internal Security & Legal Audit |
1 High + 6 Medium + 2 Low |
All Fixed |
🔮 Roadmap:
• Q3 2569: External pen-test (3rd-party)
• Q4 2569: SOC2 Type I preparation
• 2570: Bug Bounty Program (with monetary rewards)
