We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: security@codingagents.dev

Include the following information in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Any suggested fixes (optional)

• Acknowledgment: We will acknowledge receipt of your report within 48 hours
• Updates: We will keep you informed of our progress
• Resolution: We aim to resolve critical issues within 7 days
• Credit: We will credit you in our release notes (unless you prefer to remain anonymous)

The following are in scope for security reports:

• Authentication and authorization bypass
• SQL injection, XSS, CSRF vulnerabilities
• Remote code execution
• Information disclosure
• Privilege escalation

• Social engineering attacks
• Physical attacks
• Denial of service attacks
• Issues in third-party dependencies (report these to the respective maintainers)

If you're running your own instance:

1. Keep dependencies updated: Run bundle update regularly
2. Use strong secrets: Generate a new RAILS_MASTER_KEY for your instance
3. Enable HTTPS: Always use TLS in production
4. Configure rate limiting: Rack::Attack is included but should be tuned for your traffic
5. Set up monitoring: Configure Sentry or similar error tracking
6. Regular backups: Implement automated database backups
7. Review logs: Monitor for suspicious activity

This application includes:

• Rate limiting via Rack::Attack
• CSRF protection
• Parameter filtering for sensitive data
• Secure password hashing with bcrypt
• Two-factor authentication support
• SSRF protection for URL fetching
• Content Security Policy headers

Thank you for helping keep codingagents.dev and its users safe!