Please do not open a public GitHub issue for security-sensitive reports.

1. Preferred: GitHub private security advisory
2. Or contact maintainers with reproduction steps and impact.

We aim to acknowledge reports within 5 business days.

• Authentication bypass, SSRF, or injection in CVE Radar server routes
• Secret leakage via client bundle or logs
• Rate-limit / DoS issues on /api/scan or /api/watch (separate middleware buckets; /scan/validate exempt)

• Vulnerabilities inside third-party feeds (NVD, OSV, GitHub, CISA, RSS content)
• Findings that only affect a misconfigured public deployment (expose .env, open admin ports without TLS)
• Social engineering

• Keep NVD_API_KEY, GITHUB_TOKEN, translation keys, webhooks, and API_SECRET in server env or mounted secret files — never commit, ship to the browser, or bake into image layers. See docs/self-hosted/SECRETS.md.
• For authenticated deployments, set API_SECRET on the server (or API_SECRET_FILE). The UI can send the same value via build-time VITE_API_KEY (single-tenant internal tool only). GET /api/health and GET /api/v1/health stay unauthenticated for load balancers.
• RBAC: When API_SECRET and/or OIDC (OIDC_ISSUER) is configured, route permissions apply. Shared-secret clients use API_ROLE (default admin). Bearer JWT clients map IdP groups via OIDC_ROLE_MAPPING (see below).

When OIDC_ISSUER is set, clients may send Authorization: Bearer <access_token> instead of the shared secret. Configure:

Example:

OIDC_ISSUER=https://login.example.com/realms/cve-radar
OIDC_ROLE_MAPPING={"cve-radar-admin":"admin","cve-radar-scanner":"scanner"}
OIDC_GROUPS_CLAIM=realm_access.roles

Automation (CI, scripts) can keep using X-Api-Key + API_SECRET alongside OIDC. A Bearer value equal to API_SECRET still uses API_ROLE. JWT-shaped tokens are verified via OIDC when enabled.

Web UI SSO: Register redirect URI https://<panel-host>/auth/callback (dev: http://localhost:5173/auth/callback) on the IdP. Set OIDC_CLIENT_ID on the API host; the panel loads public endpoints from GET /api/v1/auth/oidc and completes PKCE in the browser.

Unmapped groups return 403 { "code": "OIDC_ROLE_UNMAPPED" } unless OIDC_DEFAULT_ROLE is set. Invalid tokens return 401 { "code": "AUTH_INVALID" }.

Blocked example: API_ROLE=viewer returns 403 { "code": "FORBIDDEN" } on POST /api/scan.

• Run behind HTTPS; restrict who can reach the API port.
• Tune RATE_LIMIT_SCAN_PER_MIN, RATE_LIMIT_WATCH_PER_MIN, and SCAN_TIMEOUT_MS if the instance is internet-facing (see .env.example).
• HTTP security headers: production (NODE_ENV=production) enables Helmet — CSP, X-Content-Type-Options, Referrer-Policy, and HSTS. Upstream CVE feeds are fetched server-side; browser connect-src is 'self' only. CSP allows Google Fonts and jsDelivr (Vazirmatn CSS). See server/middleware/securityHeaders.ts.
• This tool aggregates public feeds for awareness; validate with vendor advisories before acting.

Dependency review: npm audit in CI, Dependabot, CodeQL on main and PRs.