Do not open a public issue for security vulnerabilities. Instead, email your report to security@ralabarge.dev with:
- Title: Brief description of the vulnerability
- Affected version(s): Which bluTruth versions are affected
- Description: Technical details and proof-of-concept (if possible)
- Impact: What an attacker could do if this vulnerability is exploited
- Proposed fix (optional): Any ideas on how to fix it
We will acknowledge receipt within 48 hours and provide an estimated timeline for a fix.
- Acknowledgment: Within 48 hours of report
- Investigation & patch development: 5-14 days depending on severity
- Release: We will issue a security release as soon as the fix is ready
- Disclosure: We will disclose the vulnerability details 30 days after the public fix is released
| Level | Description | Response Time |
|---|---|---|
| Critical | Arbitrary code execution, complete system compromise | 24-48 hours |
| High | Authentication bypass, privilege escalation | 3-5 days |
| Medium | Information disclosure, limited privilege escalation | 5-14 days |
| Low | Minor issues, cosmetic problems | Next release |
-
Keep bluTruth updated: Security patches are released regularly. Run
pip install --upgrade blutruthto get the latest version. -
Restrict access to btmon: bluTruth requires
cap_net_adminor root. Only give this capability to trusted users:sudo setcap cap_net_admin+eip $(which btmon) -
Protect stored logs: SQLite databases and JSONL files contain raw Bluetooth traffic. Restrict file permissions:
chmod 600 ~/.local/share/blutruth/*.db chmod 600 ~/.local/share/blutruth/*.jsonl
-
Use secure transports: If running the web UI on a network, use TLS:
blutruth serve --host 0.0.0.0 --ssl-certfile cert.pem --ssl-keyfile key.pem
-
Monitor for suspicious devices: bluTruth logs all connected devices. Regularly review device history for unauthorized access.
- All commits should be signed (
git commit -S) - All pull requests must pass security checks:
pip-auditfor dependency vulnerabilitiesbanditfor code-level issuessemgrepfor pattern-based security flaws
- Changes to HCI parsing or kernel interaction need careful review
- New collectors should isolate untrusted input (device names, log content)
- Device ID spoofing: MAC addresses can be spoofed. Trust the source of your Bluetooth devices.
- Kernel module tampering: If the kernel module is compromised, all data from
dmesgand eBPF cannot be trusted. - Air capture: The Ubertooth and BLE sniffer collectors are mock-only and not functional.
- Timing side-channels: Correlation engine timestamps rely on kernel monotonic clocks which can be skewed.
bluTruth has not undergone a third-party security audit. If you're considering using it in a regulated environment, we recommend:
- Internal code review by your security team
- Fuzz testing on HCI parsers
- Review of eBPF kernel module code
- Assessment of data handling in collectors
We welcome and encourage security audits. If you've found issues during an audit, please report them using the process above.
We use pip-audit to continuously check for vulnerable dependencies. Run it yourself:
pip-audit --descTo report a vulnerable dependency issue:
pip install --upgrade blutruthIf you find a vulnerability in a dependency, follow this process:
- Report it to the upstream project's security contact
- File an issue with us if bluTruth is affected
- We'll release a patched version with updated pins
Security releases are issued as X.Y.Z (no -alpha or -beta tags) and announced on:
- GitHub Releases page
- Project README (pinned notice)
- Email to watchers (if subscribed)
Subscribe to security releases: https://github.com/RALaBarge/bluTruth/releases/tag/security-notice