| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security seriously. If you discover a security vulnerability, please follow these steps:
- Report vulnerabilities privately via GitHub Security Advisories
- Provide detailed information about the vulnerability
- Allow reasonable time for us to address the issue before public disclosure
- Include steps to reproduce if possible
- Open public issues for security vulnerabilities
- Exploit vulnerabilities beyond what is necessary to demonstrate them
- Access or modify other users' data
When reporting a vulnerability, please include:
- Description - Clear description of the vulnerability
- Impact - Potential impact and severity
- Steps to Reproduce - Detailed steps to reproduce the issue
- Affected Versions - Which versions are affected
- Suggested Fix - If you have one (optional)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 1 week
- Resolution Target: Depends on severity
- Critical: 24-48 hours
- High: 1 week
- Medium: 2 weeks
- Low: Next release
This project follows security best practices:
- Dependencies are regularly updated
- Secrets are never committed to the repository
- Input validation on all API endpoints
- SQL injection prevention via parameterized queries
- Authentication tokens are properly secured
Never commit .env files. Use .env.example as a template:
# Copy and configure
cp src/backend/.env.example src/backend/.env- Use strong passwords for database connections
- Enable SSL for production database connections
- Regularly backup database
- All endpoints validate input data
- Rate limiting should be configured in production
- CORS is configured for allowed origins only
We appreciate responsible disclosure and will acknowledge security researchers who help improve our security.