Repository note, April 21, 2026: this is the original peether-protocol workspace. Current public release work has moved to:

• Backend API: https://github.com/pinkpeether/ptdt-settlement-api
• Frontend UI: https://github.com/pinkpeether/ptdt-settlement-frontend

Apply this policy to the active split repositories as well.

PLEASE DO NOT open public GitHub issues for security vulnerabilities.

If you discover a security vulnerability in the PTDT Settlement API, please report it privately to:

📧 security@pinkpeether.com

1. Description: Clear explanation of the vulnerability
2. Location: Which file(s) and line numbers (if applicable)
3. Severity: Low / Medium / High / Critical
4. Impact: What could an attacker do?
5. Steps to Reproduce: How to trigger the vulnerability
6. Your Contact: Email or preferred contact method

• 24 hours: Initial acknowledgment
• 7 days: Assessment and severity determination
• 14 days: Fix development begins
• 30 days: Fix released (or disclosure discussion if complex)

We ask that you:

• ✅ Give us reasonable time to fix before public disclosure
• ✅ Avoid testing on production systems without permission
• ✅ Don't access or modify others' data
• ✅ Don't disrupt service or testing environment
• ✅ Keep vulnerability details confidential until fixed

We acknowledge all responsible disclosures in:

• Our SECURITY_ACKNOWLEDGMENTS.md file
• Public thanks (if you wish)
• Potential bug bounty (for critical vulnerabilities)

NEVER commit to repository:

• .env files (use .env.example only)
• API keys, tokens, or credentials
• Database passwords
• Private keys or mnemonics
• JWT secrets
• Blockchain RPC URLs with auth

Use GitHub Secrets for deployment:

# GitHub Settings → Secrets → New repository secret
DATABASE_URL=postgresql://...
JWT_SECRET=...
BSC_RPC_URL=...
API_KEYS=...

All code changes require:

• ✅ At least 1 code review (team members)
• ✅ All tests passing
• ✅ No security warnings from SAST tools
• ✅ No new dependencies without security audit

# Check for vulnerabilities in dependencies
npm audit

# Fix automatically where possible
npm audit fix

# Review and update regularly
npm update

• ✅ Use connection pooling (configured in src/config/database.ts)
• ✅ Enable SSL/TLS for production connections
• ✅ Use Prisma ORM (prevents SQL injection)
• ✅ Implement row-level security where sensitive
• ✅ Regular automated backups

Implemented:

• ✅ JWT token authentication (src/middleware/auth.ts)
• ✅ API key validation
• ✅ Rate limiting (src/middleware/rateLimit.ts)
• ✅ CORS configuration
• ✅ Request validation (Joi)
• ✅ Error sanitization (no stack traces in production)
• ✅ Request logging for audit trail

Additional measures:

• ✅ HTTPS/TLS for all endpoints (enforce in production)
• ✅ Helmet.js for security headers (configured in src/index.ts)
• ✅ Input validation on all endpoints
• ✅ Output encoding to prevent XSS

Smart Contract Interaction (src/utils/bsc.ts):

• ✅ Use audited contract ABI
• ✅ Validate transaction signatures
• ✅ Implement transaction confirmation checks
• ✅ Never store private keys in code
• ✅ Use hardware wallets for production operations

Before Production Deployment:

• Security audit of all code
• Penetration testing
• Load testing (verify rate limits work)
• Backup & disaster recovery testing
• Incident response plan documented
• Team security training completed

# Monitor application logs
# Watch for:
- Repeated authentication failures
- Rate limit violations
- Unusual API usage patterns
- Database query errors
- Blockchain transaction failures

Configure alerts for:

• ✅ Failed deployments
• ✅ API error rate spike (>5% errors)
• ✅ Database connection failures
• ✅ Rate limit threshold reached
• ✅ Unusual payment patterns

• Run npm audit - all vulnerabilities fixed
• All tests passing (npm test)
• No console.log statements in production code
• No hardcoded secrets or credentials
• All dependencies up to date
• Security headers configured (Helmet.js)
• Rate limiting enabled
• Database backups created
• Rollback plan documented
• Team notified of changes

• Monitor error logs for 24 hours
• Monitor application performance
• Check security alerts
• Verify all features working as expected
• Document any issues for next release

1. Immediate Actions (0-1 hour)

   • Isolate affected systems
   • Preserve evidence/logs
   • Notify security team
   • Assess severity

2. Short-term (1-24 hours)

   • Investigate root cause
   • Deploy temporary mitigation
   • Notify affected users
   • Begin formal investigation

3. Long-term (24+ hours)

   • Develop permanent fix
   • Test thoroughly
   • Deploy fix
   • Post-incident review
   • Update security policies

# Check for vulnerabilities
npm audit

# Security linting (if configured)
npm run lint

# Type checking (catch many bugs)
npx tsc --noEmit

# View production environment
echo $NODE_ENV  # Should be 'production'

# Check for exposed secrets
git log --oneline | head -20
git diff --cached  # Before committing

For security-related questions:

• 📧 Email: security@pinkpeether.com
• 🔐 Encrypted message: [Your PGP key]
• 📞 Emergency: [Your emergency contact]

Last Updated: January 26, 2026

Version: 1.0

Status: Active & Enforced