MeasureMap is built for organizations that take metric definitions seriously — often in regulated settings. If you discover a security issue, please do not open a public issue.

Instead, use GitHub's private security advisory workflow:

1. Go to https://github.com/CCallahan308/MeasureMap/security/advisories/new
2. Describe the issue, including:
   • Affected component or route
   • Reproduction steps
   • Impact you observed (data exposure, privilege escalation, etc.)
   • Suggested fix or mitigation if you have one

We aim to acknowledge reports within 3 business days and to publish a fix or mitigation within 30 days for high-severity issues.

In scope:

• Authentication and session handling (LDAP/AD integration, NextAuth flows)
• Authorization (role-based access, org-scoped queries)
• CSRF, XSS, and injection vectors
• Audit log integrity and PII scrubbing
• Rate limiting and credential-stuffing surfaces
• Destructive database migrations (the safe-to-drop marker check)

Out of scope:

• Vulnerabilities requiring local OS access on the host running MeasureMap
• Issues that depend on an attacker already controlling your LDAP server or PostgreSQL instance
• Social engineering of your AD administrators
• Self-hosted infrastructure misconfiguration unrelated to MeasureMap (Caddy/Nginx/PostgreSQL/Docker)

Documented in the README's Security section, but to repeat:

• LDAP filter values are escaped per RFC 4515 before substitution.
• All queries are organization-scoped via the session's orgId.
• CSRF protection validates the Origin header against NEXTAUTH_URL and APP_ALLOWED_ORIGINS.
• Login endpoint is rate-limited.
• Audit log entries scrub PII fields.
• Destructive Prisma migrations are blocked by CI unless explicitly marked.

Security patches are applied to the latest minor release on main. There is no LTS branch at this time.