Security
Security
Credential storage
The CLI stores your Slack tokens in the operating system keyring:
- macOS: Keychain Access
- Linux: Secret Service API (GNOME Keyring, KDE Wallet)
- Windows: Windows Credential Manager
If the system keyring is unavailable, the CLI falls back to a plaintext file at ~/.config/slackbuzz/auth.yml with a warning.
Tokens are never logged to stdout or stored in the config file.
Token types
SlackBuzz uses two types of Slack tokens:
| Token | Prefix | Used for |
|---|---|---|
| Bot token | xoxb- | Sending messages, reading channels, reactions, emoji list |
| User token | xoxp- | Search, activity inbox, saved items, status management |
Both tokens are stored separately in the keyring. The slackbuzz app create command creates a Slack app pre-configured with all required scopes for both token types.
Best practices
-
Use the system keyring: The default storage method. Avoid overriding it unless necessary.
-
Use
app create: Creates a Slack app with the minimum required scopes. Avoid using tokens with broader permissions than needed. -
CI environments: Pass tokens via environment variables and stdin, not as command-line arguments which may appear in process lists:
Terminal window echo "$SLACK_BOT_TOKEN" | slackbuzz auth login --with-token -
Don’t commit tokens: Never commit Slack tokens to source control. Use
.gitignoreand CI secrets. -
Keep updated: Always use the latest version for security patches.
-
Logout when done: Remove stored credentials with
slackbuzz auth logout.
Reporting a vulnerability
Do not open a public GitHub issue for security vulnerabilities.
Email security concerns to: info@campermate.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fixes (optional)
Response timeline
| Step | Timeframe |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 5 business days |
| Resolution | Depends on severity, typically within 30 days |
We will credit reporters in release notes unless you prefer anonymity. We ask that you do not publicly disclose the issue until we have had time to address it.
Supported versions
| Version | Supported |
|---|---|
| 0.1.x | Yes |