LightZirconite/Microsoft-Rewards-Script
1
0
Fork 0
mirror of https://github.com/TheNetsky/Microsoft-Rewards-Script.git synced 2026-01-17 13:33:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
554227e200e408c8b9e574604b4d5228c8ba36dd
Microsoft-Rewards-Script/SECURITY.md
Light 15f62963f8 V2 (#365) 
* first commit

* Addition of a personalized activity manager and refactoring of the logic of activities

* Adding diagnostics management, including screenshot and HTML content, as well as improvements to humanize page interactions and +.

* Adding the management of newspapers and webhook settings, including filtering messages and improving the structure of the summaries sent.

* Adding a post-execution auto-date functionality, including options to update via Git and Docker, as well as a new configuration interface to manage these parameters.

* Adding accounts in Docker, with options to use an environmental file or online JSON data, as well as minimum validations for responsible accounts.

* Improving the Microsoft Rewards script display with a new headband and better log management, including colors and improved formatting for the console.

* v2

* Refactor ESLint configuration and scripts for improved TypeScript support and project structure

* Addition of the detection of suspended accounts with the gesture of the improved errors and journalization of banishment reasons

* Adding an integrated planner for programmed task execution, with configuration in Config.json and +

* Edit

* Remove texte

* Updating of documentation and adding the management of humanization in the configuration and +.

* Adding manual purchase method allowing users to spend points without automation, with monitoring of expenses and notifications.

* Correction of documentation and improvement of configuration management for manual purchase mode, adding complete documentation and appropriate banner display.

* Add comprehensive documentation for job state persistence, NTFY notifications, proxy configuration, scheduling, and auto-update features

- Introduced job state persistence documentation to track progress and resume tasks.
- Added NTFY push notifications integration guide for real-time alerts.
- Documented proxy configuration options for enhanced privacy and network management.
- Included scheduling configuration for automated script execution.
- Implemented auto-update configuration to keep installations current with Git and Docker options.

* Ajout d'Unt Système de Rapport d'Erreurs Communautaire pour Améliorerer le Débogage, incluant la Configuration et l'Envoi de Résumés D'Erreurs Anonyés à un webhook Discord.

* Mini Edit

* Mise à Jour du Readme.md pour Améliorerer la Présentation et La Claté, Ajout d'Un section sur les notifications en Temps Raine et Mise à Jour des badges pour la meille unibilité.

* Documentation update

* Edit README.md

* Edit

* Update README with legacy version link

* Improvement of location data management and webhooks, adding configurations normalization

* Force update for PR

* Improvement of documentation and configuration options for Cron integration and Docker use

* Improvement of planning documentation and adding a multi-pan-pancake in the daily execution script

* Deletion of the CommunityReport functionality in accordance with the project policy

* Addition of randomization of start -up schedules and surveillance time for planner executions

* Refactor Docker setup to use built-in scheduler, removing cron dependencies and simplifying configuration options

* Adding TOTP support for authentication, update of interfaces and configuration files to include Totp secret, and automatic generation of the Totp code when connecting.

* Fix [LOGIN-NO-PROMPT] No dialogs (xX)

* Reset the Totp field for email_1 in the accounts.example.json file

* Reset the Totp field for email_1 in the Readme.md file

* Improvement of Bing Research: Use of the 'Attacked' method for the research field, management of overlays and adding direct navigation in the event of entry failure.

* Adding a complete security policy, including directives on vulnerability management, coordinated disclosure and user security advice.

* Remove advanced environment variables section from README

* Configuration and dockerfile update: Passage to Node 22, addition of management of the purchase method, deletion of obsolete scripts

* Correction of the order of the sections in the Readme.md for better readability

* Update of Readm and Security Policy: Addition of the method of purchase and clarification of security and confidentiality practices.

* Improvement of the readability of the Readm and deletion of the mention of reporting of vulnerabilities in the security document.

* Addition of humanization management and adaptive throttling to simulate more human behavior in bot activities.

* Addition of humanization management: activation/deactivation of human gestures, configuration update and adding documentation on human mode.

* Deletion of community error report functionality to respect the privacy policy

* Addition of immediate banning alerts and vacation configuration in the Microsoft Rewards bot

* Addition of immediate banning alerts and vacation configuration in the Microsoft Rewards bot

* Added scheduling support: support for 12h and 24h formats, added options for time zone, and immediate execution on startup.

* Added window size normalization and page rendering to fit typical screens, with injected CSS styles to prevent excessive zooming.

* Added security incident management: detection of hidden recovery emails, automation blocking, and global alerts. Updated configuration files and interfaces to include recovery emails. Improved security incident documentation.

* Refactor incident alert handling: unified alert sender

* s

* Added security incident management: detect recovery email inconsistencies and send unified alerts. Implemented helper methods to manage alerts and compromised modes.

* Added heartbeat management for the scheduler: integrated a heartbeat file to report liveliness and adjusted the watchdog configuration to account for heartbeat updates.

* Edit webook

* Updated security alert management: fixed the recovery email hidden in the documentation and enabled the conclusion webhook for notifications.

* Improved security alert handling: added structured sending to webhooks for better visibility and updated callback interval in compromised mode.

* Edit conf

* Improved dependency installation: Added the --ignore-scripts option for npm ci and npm install. Updated comments in compose.yaml for clarity.

* Refactor documentation structure and enhance logging:
- Moved documentation files from 'information' to 'docs' directory for better organization.
- Added live logging configuration to support webhook logs with email redaction.
- Updated file paths in configuration and loading functions to accommodate new structure.
- Adjusted scheduler behavior to prevent immediate runs unless explicitly set.
- Improved error handling for account and config file loading.
- Enhanced security incident documentation with detailed recovery steps.

* Fix docs

* Remove outdated documentation on NTFY, Proxy, Scheduling, Security, and Auto-Update configurations; update Browser class to prioritize headless mode based on environment variable.

* Addition of documentation for account management and Totp, Docker Guide, and Update of the Documentation Index.

* Updating Docker documentation: simplification of instructions and adding links to detailed guides. Revision of configuration options and troubleshooting sections.

* Edit

* Edit docs

* Enhance documentation for Scheduler, Security, and Auto-Update features

- Revamped the Scheduler documentation to include detailed features, configuration options, and usage examples.
- Expanded the Security guide with comprehensive incident response strategies, privacy measures, and monitoring practices.
- Updated the Auto-Update section to clarify configuration, methods, and best practices for maintaining system integrity.

* Improved error handling and added crash recovery in the Microsoft Rewards bot. Added configuration for automatic restart and handling of local search queries when trends fail.

* Fixed initial point counting in MicrosoftRewardsBot and improved error handling when sending summaries to webhooks.

* Added unified support for notifications and improved handling of webhook configurations in the normalizeConfig and log functions.

* UPDATE LOGIN

* EDIT LOGIN

* Improved login error handling: added recovery mismatch detection and the ability to switch to password authentication.

* Added a full reference to configuration in the documentation and improved log and error handling in the code.

* Added context management for conclusion webhooks and improved user configuration for notifications.

* Mini edit

* Improved logic for extracting masked emails for more accurate matching during account recovery.
2025-09-26 18:58:33 +02:00

4.8 KiB
Raw Blame History

Security & Privacy Policy

Hi there! 👋 Thanks for caring about security and privacy — we do too. This document explains how this project approaches data handling, security practices, and how to report issues responsibly.

TL;DR

  • We do not collect, phone-home, or exfiltrate your data. No hidden telemetry. 🚫📡
  • Your credentials stay on your machine (or in your container volumes). 🔒
  • Sessions/cookies are stored locally to reduce re-login friction. 🍪
  • Use at your own risk. Microsoft may take action on accounts that use automation.

What this project does (and doesnt)

This is a local automation tool that drives a browser (Playwright) to perform Microsoft Rewards activities. By default:

  • It reads configuration from local files (e.g., src/config.json, src/accounts.json).
  • It can save session data (cookies and optional fingerprints) locally under ./src/browser/<sessionPath>/<email>/.
  • It can send optional notifications/webhooks if you enable them and provide a URL.

It does not:

  • Send your accounts or secrets to any third-party service by default.
  • Embed any “phone-home” or analytics endpoints.
  • Include built-in monetization, miners, or adware. 🚫🐛

Data handling and storage

  • Accounts: You control the accounts.json file. Keep it safe. Consider environment variables or secrets managers in CI/CD.
  • Sessions: Cookies are stored locally to speed up login. You can delete them anytime by removing the session folder.
  • Fingerprints: If you enable fingerprint saving, they are saved locally only. Disable this feature if you prefer ephemeral fingerprints.
  • Logs/Reports: Diagnostic artifacts and daily summaries are written to the local reports/ directory.
  • Webhooks/Notifications: If enabled, we send only the minimal information necessary (e.g., summary text, embed fields) to the endpoint you configured.

Tip: For Docker, mount a dedicated data volume for sessions and reports so you can manage them easily. 📦

Credentials and secrets

  • Do not commit secrets. Use src/accounts.json locally or set ACCOUNTS_JSON/ACCOUNTS_FILE via environment variables when running in containers.
  • Consider using OS keychains or external secret managers where possible.
  • TOTP: If you include a Base32 TOTP secret per account, it remains local and is used strictly during login challenge flows.

Buy Mode safety

Buy Mode opens a monitor tab (read-only points polling) and a separate user tab for your manual actions. The monitor tab doesnt redeem or click on your behalf — it just reads dashboard data to keep totals up to date. 🛍️

Responsible disclosure

We value coordinated disclosure. If you find a security issue:

  1. Please report it privately first via an issue marked “Security” with a note to request contact details, or by contacting the repository owner directly if available.
  2. Provide a minimal reproduction and version info.
  3. We will acknowledge within a reasonable timeframe and work on a fix. 🙏

Please do not open public issues with sensitive details before we have had a chance to remediate.

Scope and assumptions

  • This project is open-source and runs on your infrastructure (local machine or container). You are responsible for host hardening and network policies.
  • Automation can violate terms of service. You assume all responsibility for how you use this tool.
  • Browsers and dependencies evolve. Keep the project and your runtime up to date.

Dependency and update policy

  • We pin key dependencies where practical and avoid risky postinstall scripts in production builds.
  • Periodic updates are encouraged. The project includes an optional auto-update helper. Review changes before enabling in sensitive environments.
  • Use Playwright official images when running in containers to receive timely browser security updates. 🛡️

Safe use guidelines

  • Run with least privileges. In Docker, prefer non-root where feasible and set no-new-privileges if supported.
  • Limit outbound network access if your threat model requires it.
  • Rotate credentials periodically and revoke unused secrets.
  • Clean up diagnostics and reports if they contain sensitive metadata.

Privacy statement

We dont collect personal data. The repository does not embed analytics. Any processing done by this tool happens locally or against the Microsoft endpoints it drives on your behalf.

If you enable third-party notifications (Discord, NTFY, etc.), data sent there is under your control and subject to those services privacy policies.

Contact

To report a security issue or ask a question, please open an issue with the “Security” label and well follow up with a private channel. You can also reach out to the project owner/maintainers via GitHub if contact details are listed. 💬

— Stay safe and have fun automating!