We actively maintain security updates for the following versions:
| Version | Supported |
|---|---|
| latest | ✅ Yes |
| Previous | ✅ Yes |
| Older | ❌ No |
We take the security of TokenRouter seriously. If you discover a security vulnerability, please disclose it responsibly.
Please send details to: contact@tokenrouter.dev
Include the following information in your report:
- Description of the vulnerability type
- Complete affected version information
- Explanation of potential exploitation
- Reproduction steps (if applicable)
- Your CVSS v3 score (if assessed)
- Please give us reasonable time to fix the reported vulnerability before public disclosure
- Check if a similar issue already exists before reporting
- Avoid destructive testing or attempts to delete data from systems
- Work with us to provide appropriate attribution in announcements
We commit to responding within the following timeframes:
- Initial Response: Within 48 hours
- Status Updates: Weekly
- Fix Timeline: Based on severity
- Critical: Within 72 hours
- High: Within 7 days
- Medium: Within 30 days
- Low: Within 90 days
-
API Key Management
- Never commit API keys to version control
- Use environment variables or secret management systems
- Rotate keys regularly
-
Network Security
- Always use HTTPS in production
- Configure firewalls to restrict database access
- Use private networking for inter-service communication
-
Access Control
- Implement principle of least privilege
- Regularly review API Key permissions
- Enable rate limiting to prevent abuse
-
Monitoring & Logging
- Enable audit logging
- Monitor for anomalous activity
- Set up security alerts
Before deploying, ensure:
- Changed all default passwords
- Disabled unnecessary features
- Configured appropriate log level (warn or error for production)
- Enabled database SSL connections
- Configured CORS policies
- Set rate limit thresholds
- Reviewed and restricted file permissions
Security updates will be released as patch versions. We recommend applying security updates as soon as they become available.
Subscribe to security announcements:
We would like to thank the following security researchers who have helped keep the TokenRouter community safe:
(Recognized vulnerability reporters will be listed here)
Last Updated: 2026-04-30