Compass takes security seriously. If you believe you've found a vulnerability, please do not open a public issue. Instead:
- Email: send to the maintainer with the subject
[SECURITY] Compass - GitHub private advisory: use Report a vulnerability
Please include:
- Vulnerability type (XSS / SQL injection / IDOR / auth bypass / SSRF / etc.)
- Reproduction steps, as detailed as possible
- Impact (what data can be leaked, what actions can be performed)
- Suggested fix, if you have one
- Acknowledgement: within 3 business days
- Initial assessment: within 7 business days, with a severity rating and fix plan
- Fix release: critical within 30 days, medium/low in the next release
We use CVSS v3.1:
| Severity | CVSS | Example |
|---|---|---|
| Critical | 9.0–10.0 | unauthenticated RCE / full database leak |
| High | 7.0–8.9 | auth bypass / arbitrary cross-user read-write |
| Medium | 4.0–6.9 | single-record IDOR / XSS |
| Low | 0.1–3.9 | information disclosure / misconfiguration |
Compass is designed with these defences — please keep them in mind when contributing:
- IDOR defence: every service-layer function takes
userIdfirst; everyfindFirst/findUniquewhereclause must includeuserId - Zod strict validation: every API input runs through a
.strict()schema, rejecting unknown fields - bcrypt password hashing: passwords are salted and hashed with bcryptjs, never stored in plaintext
- NextAuth JWT sessions: session secret read from env, never committed
- Rate limiting: every API route calls
rateLimit()to resist brute force - CSRF: NextAuth's built-in CSRF token is enabled
- HTTP security headers: HSTS / CSP / X-Frame-Options set at the Caddy reverse proxy layer
| Version | Security updates |
|---|---|
latest main |
✅ |
| historical tags | ❌ — please upgrade to the latest release |
Reporters who wish to be credited will be thanked in the next release's CHANGELOG entry.