We release patches for security vulnerabilities for the following versions:

We take the security of WAMR seriously. If you believe you have found a security vulnerability, please report it to us as described below.

• Open a public GitHub issue for security vulnerabilities
• Discuss the vulnerability in public forums or social media

1. Report via GitHub Security Advisories (Preferred):

   • Go to https://github.com/techieanant/wamr/security/advisories/new
   • Click "Report a vulnerability"
   • Provide detailed information about the vulnerability

2. Report via Email:

   • Send an email to: contact@anant.wtf
   • Include "WAMR Security" in the subject line
   • Provide detailed information about the vulnerability

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Suggested fix (if any)
• Your contact information

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution Timeline: Varies based on severity and complexity

We will:

1. Confirm receipt of your report
2. Investigate and validate the vulnerability
3. Develop and test a fix
4. Release a security patch
5. Publicly acknowledge your responsible disclosure (unless you prefer to remain anonymous)

• Never commit .env files to version control

• Use strong, unique passwords for admin accounts

• Generate secure keys:

  # JWT Secret (64 hex characters)
  openssl rand -hex 32
  
  # Encryption Key (64 hex characters)
  openssl rand -hex 32

• Change default passwords immediately after first login
• Keep containers updated with latest security patches
• Use Docker secrets for production environments
• Restrict network access using firewalls
• Enable HTTPS with reverse proxy (nginx, Traefik, Caddy)

• Backup regularly and store backups securely
• Encrypt sensitive data at rest
• Limit database access to application only
• Use volume encryption for Docker volumes

• Protect session files (.baileys_auth directory)
• Limit access to WhatsApp-connected phone
• Monitor for unauthorized access
• Revoke sessions if compromised

• Store securely using encryption
• Rotate regularly (every 90 days recommended)
• Use read-only keys when possible
• Monitor API usage for anomalies

• Use HTTPS for all external connections
• Configure CORS properly (don't use wildcards in production)
• Enable rate limiting to prevent abuse
• Use strong TLS versions (1.2+)

• Use strong passwords (minimum 6 characters, recommended 12+)
• Enable 2FA when available
• Limit admin access to necessary personnel only
• Review audit logs regularly

WAMR includes several built-in security features:

• Password Hashing: Argon2id for secure password storage
• JWT Authentication: Secure session management
• API Key Encryption: AES-256-GCM for service credentials
• Rate Limiting: Protection against brute force attacks
• CORS Protection: Configurable origin restrictions
• Input Validation: Zod schemas for all API inputs
• SQL Injection Prevention: Parameterized queries with Drizzle ORM
• Audit Logging: Complete request history tracking

• WAMR uses @whiskeysockets/baileys which is unofficial
• WhatsApp may ban accounts that violate their Terms of Service
• Use a dedicated WhatsApp Business account
• Monitor for suspicious activity

• You are responsible for securing your own deployment
• Keep Node.js and dependencies updated
• Follow security best practices for your hosting environment
• Regularly backup data

When we receive a security bug report, we will:

1. Confirm the problem and determine affected versions
2. Audit code to find similar problems
3. Prepare fixes for all supported versions
4. Release patches as quickly as possible

We appreciate security researchers who responsibly disclose vulnerabilities. Contributors will be listed here (with permission):

If you have questions about this security policy, please email contact@anant.wtf.

Last Updated: October 2025