LinkQuota handles infrastructure routing, subscription tokens, and customer access state. Treat production values as secrets.
- SSH private keys or local key folders.
- BotFather tokens.
- Telegram admin IDs.
- Customer records from
customers.json. - Generated VLESS links, UUIDs, and subscription tokens.
- Real VPS IPs, domains, Netlify site IDs, or provider account notes.
- Runtime logs that may contain tokens or traffic metadata.
Please open a private report through the repository security advisory flow if available. If that is not available, contact the maintainer privately before opening a public issue.
Include:
- A concise description of the issue.
- Affected component, such as relay, manager, subscription server, Nginx config, systemd unit, or bot.
- Reproduction steps using placeholders.
- Impact and suggested fix, if known.
Do not include live customer tokens, private keys, or production service URLs in public reports.
Security fixes are expected on the default branch unless a maintainer creates release branches later.