We actively maintain and provide security updates for the following versions:

We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:

Security vulnerabilities should be reported privately to prevent exploitation.

Send a detailed report to: [email protected]

• Description: Clear description of the vulnerability
• Steps to reproduce: Detailed steps to reproduce the issue
• Impact: Potential impact of the vulnerability
• Suggested fix: If you have a suggested solution
• Affected versions: Which versions are affected
• Proof of concept: If applicable, include a safe PoC

• Initial response: Within 48 hours
• Status update: Within 7 days
• Fix timeline: Depends on severity (1-30 days)

This package implements several security measures:

• OTP Generation: Uses crypto.randomBytes() for cryptographically secure random numbers
• HMAC Verification: Constant-time comparison to prevent timing attacks
• OTP Storage: bcrypt hashing with 12 salt rounds
• Session Binding: HMAC-based session and context binding

• Configurable rate limiting per email/context
• Automatic blocking after max retries
• Window-based rate limiting

• Strict mode for request metadata validation
• Context and session binding
• Replay attack prevention

• Minimum 32-character server secret required
• Strict mode enabled by default
• Secure OTP length (4-10 digits)
• Reasonable expiry times (2 minutes default)

• Use a strong, randomly generated server secret (minimum 32 characters)
• Store the secret securely (environment variables, secret management)
• Rotate secrets periodically

• Configure appropriate rate limits for your use case
• Monitor for abuse patterns
• Consider IP-based rate limiting for additional protection

• Enable strict mode in production
• Collect and validate request metadata
• Use device fingerprinting when possible

• Use reputable email providers
• Implement SPF, DKIM, and DMARC
• Monitor email delivery rates

• Email delivery is not guaranteed
• SMS-based OTP may be more reliable for critical applications
• Consider multi-factor authentication for high-security applications

• Implement proper logging and monitoring
• Regular security audits
• Keep dependencies updated
• Follow OWASP guidelines

When a vulnerability is fixed:

1. A security advisory will be published
2. Patches will be released promptly
3. Users will be notified through appropriate channels
4. CVE numbers will be requested when applicable

For security-related questions or concerns:

• Email: [email protected]
• PGP Key: [Add your PGP key if available]

Thank you for helping keep this package secure!