At HoneyPi (iHBV ecosystem), security is our top priority. We are committed to ensuring the safety and integrity of our hardware, firmware, and software projects. We appreciate the security research community's efforts in responsibly disclosing vulnerabilities.
We actively maintain and provide security updates for the following versions:
| Product | Version | Supported | End of Life |
|---|---|---|---|
| HBV3.0 Platform | 3.x | β Yes | - |
| StingPot-Lite Firmware | 1.x | β Yes | - |
| StingPot-Pro Firmware | 1.x | β Yes | - |
| HoneyPi Website | Latest | β Yes | - |
Note: Pre-release and development versions (alpha/beta) are not covered by this security policy.
We take all security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security issues to:
Email: security@honeypi.io
PGP Key: Available at honeypi.io/security-pgp.txt
Subject Line: [SECURITY] Brief description of vulnerability
Please provide as much information as possible to help us understand and reproduce the issue:
- Type of vulnerability (e.g., buffer overflow, XSS, authentication bypass, etc.)
- Affected product/version (firmware version, hardware revision, etc.)
- Step-by-step reproduction instructions
- Proof-of-concept code or exploit (if available)
- Potential impact of the vulnerability
- Suggested mitigation or remediation (if you have recommendations)
- Your contact information for follow-up questions
When you report a vulnerability, we commit to:
- Acknowledge receipt within 48 hours (business days)
- Provide initial assessment within 5 business days
- Keep you informed of our progress throughout the investigation
- Credit you in our security advisories (unless you prefer to remain anonymous)
- Fix confirmed vulnerabilities as quickly as possible based on severity
| Severity | Initial Response | Target Fix Time | Public Disclosure |
|---|---|---|---|
| Critical | 24 hours | 7 days | After fix deployed |
| High | 48 hours | 14 days | After fix deployed |
| Medium | 5 days | 30 days | After fix deployed |
| Low | 7 days | 60 days | After fix deployed |
We believe in recognizing security researchers who help make HoneyPi more secure.
Security researchers who responsibly disclose vulnerabilities will be recognized in our Security Hall of Fame.
We are currently evaluating the establishment of a formal bug bounty program. Stay tuned for updates.
If you're contributing to HoneyPi projects:
- Never commit secrets (API keys, passwords, private keys) to the repository
- Use parameterized queries to prevent SQL injection
- Validate and sanitize all inputs on both client and server side
- Follow secure coding guidelines for the language/framework you're using
- Enable and review security linters in your development environment
- Keep dependencies updated and monitor for known vulnerabilities
- Use HTTPS/TLS for all network communications
- Implement proper authentication and authorization checks
- Log security-relevant events for audit trails
- Write security-focused unit tests
If you're deploying HoneyPi hardware/firmware:
- Keep firmware updated to the latest stable version
- Change default credentials immediately after deployment
- Isolate honeypot networks from production systems
- Monitor logs for suspicious activity
- Implement network segmentation to limit blast radius
- Use strong, unique passwords for all accounts
- Enable hardware security features (secure boot, encryption, etc.)
- Regularly backup configurations and data
- Review access control lists periodically
- Follow deployment guides in the documentation
- Secure Boot β Cryptographically verified firmware loading
- Hardware RNG β True random number generation for cryptographic operations
- Tamper Detection β Physical security monitoring
- Encrypted Storage β Protected configuration and sensitive data
- Code Signing β All official firmware releases are cryptographically signed
- OTA Updates β Secure over-the-air update mechanism with rollback capability
- Memory Protection β Stack canaries, ASLR, and DEP where supported
- Least Privilege β Process isolation and minimal permissions
- TLS 1.3 β Modern encryption for all network communications
- Certificate Pinning β Protection against MITM attacks
- Rate Limiting β Protection against brute force and DoS attacks
- Network Isolation β Separate management and data networks
We follow a 90-day coordinated disclosure policy:
- Researcher reports vulnerability privately
- We acknowledge and begin investigation
- We develop and test a fix
- We release security update to users
- After users have had time to update (minimum 90 days from initial report), we:
- Publish a security advisory
- Credit the researcher (if they consent)
- Provide technical details and mitigation steps
We may request an extended disclosure timeline for:
- Particularly complex vulnerabilities requiring extensive changes
- Vulnerabilities affecting multiple products/versions
- Issues requiring coordination with third-party vendors
We will never request indefinite disclosure delays.
Published security advisories are available at:
- GitHub Security Advisories: github.com/invokehoneybadger/honeypi.io/security/advisories
- Website: honeypi.io/security-advisories
For security-related inquiries:
- Email: security@honeypi.io
- General Contact: hello@honeypi.io
- Website: https://honeypi.io
Last Updated: January 2025 Version: 1.0
Thank you for helping keep HoneyPi and our users safe!