Please do not report security vulnerabilities through public GitHub issues.
If you believe you have found a security vulnerability in TokenShield, please report it to us through coordinated disclosure.
Please include the following information:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the issue
- Location of affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue
TokenShield handles sensitive credit card data. When deploying:
- Use self-signed certificates
- Store encryption keys in code or environment files
- Log credit card numbers
- Disable HTTPS
- Use default passwords
- Use proper SSL/TLS certificates from trusted CAs
- Implement proper key management (AWS KMS, HashiCorp Vault, etc.)
- Enable comprehensive audit logging
- Follow PCI DSS requirements
- Regular security updates and patches
- Network segmentation and firewalls
- Regular security audits
- Implement rate limiting and DDoS protection
| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
- Encryption Keys: Never commit encryption keys. Use proper key management systems.
- Database: Always use encrypted connections to MySQL
- Network: Implement proper network segmentation
- Updates: Keep all dependencies up to date
- Monitoring: Implement comprehensive logging and monitoring
- Access Control: Use strong authentication and authorization
TokenShield is designed to help with PCI DSS compliance, but proper deployment and configuration is essential. Always consult with a QSA (Qualified Security Assessor) for your specific compliance needs.