We take security vulnerabilities seriously. If you discover a security issue in Epicode, please report it responsibly.
- Open a public GitHub issue for the vulnerability
- Exploit the vulnerability beyond what is necessary to demonstrate it
- Share the vulnerability with others before it has been addressed
Report via GitHub Security Advisories (preferred):
Go to https://github.com/sunormesky-max/epicode/security/advisories/new and submit a private vulnerability report.
- Description — Clear description of the vulnerability
- Impact — What an attacker could achieve
- Reproduction — Step-by-step instructions
- Proof of Concept — If applicable
- Suggested Fix — If you have one
| Stage | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial Assessment | Within 7 days |
| Fix Development | Depends on severity |
| Disclosure | After fix is released |
| Version | Supported |
|---|---|
| 1.0.x | Yes |
If you are self-hosting Epicode:
- Always set environment variables — never use placeholder values
- Use strong, unique keys — generate with
openssl rand -base64 32 - Enable HTTPS — use a reverse proxy (Nginx/Caddy) with TLS
- Restrict network access — bind to
127.0.0.1, use firewall rules - Keep dependencies updated — run
cargo auditregularly - Rotate keys periodically — especially if you suspect exposure
- Review access logs — monitor for suspicious activity
Epicode includes the following security measures:
- AES-256-GCM encryption for stored data
- Argon2id password hashing
- Constant-time key comparison
- API key authentication
- Rate limiting
- Security headers (CSP, HSTS, X-Frame-Options)
- Login brute-force protection (account lockout after 5 failures)