WS-Kit is in active development (pre-v1). Security updates are released for the latest development version.

If you discover a security vulnerability in WS-Kit, please report it responsibly:

DO NOT open a public issue for security vulnerabilities.

Instead, please email: security@kriasoft.com

Include in your report:

• Description of the vulnerability
• Steps to reproduce (if applicable)
• Potential impact
• Suggested fix (if you have one)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 1 week
• Fix timeline: Depends on severity

When using WS-Kit:

• Input validation: Always validate incoming WebSocket messages with schema validation (Zod/Valibot)
• Authentication: Implement proper authentication during WebSocket upgrade
• Authorization: Verify user permissions in message handlers via ctx.ws.data
• Rate limiting: Implement rate limiting to prevent abuse
• Message size limits: Configure appropriate message size limits in Bun.serve
• Dependencies: Keep dependencies updated to prevent supply chain attacks

• Vulnerabilities will be disclosed publicly after fixes are available
• Credit will be given to security researchers (with permission)
• CVE numbers will be requested for significant vulnerabilities

We appreciate security researchers who help keep WS-Kit secure. If you report a valid security issue, we'll acknowledge your contribution in the release notes (with your permission) and coordinate disclosure timing with you.