Skip to content

Security: common-room/template-triage-bot

Security

docs/SECURITY.md

Notes on Security

While this application has been built with information security in mind,

Design decisions

  • Does not request any Slack user tokens (xoxp-...) and runs purely on bot tokens (xoxb-...)
  • Bot token scopes include permissive access to public channels only. Reading of any other type of channel is not possible without modificaiton of the setup instructions.
  • Care has been taken to request the minimum amount of scopes possible.
  • Messages are not stored in any database and are analyzed in-memory only.

Potential areas for improvement

  • Store environment variables in a deploy-specific secure vault
  • Encrypt xoxb tokens in the database

There aren’t any published security advisories