Skip to content

Security: MS33834/compass

Security

SECURITY.md

Security Policy

Reporting a vulnerability

Compass takes security seriously. If you believe you've found a vulnerability, please do not open a public issue. Instead:

  1. Email: send to the maintainer with the subject [SECURITY] Compass
  2. GitHub private advisory: use Report a vulnerability

Please include:

  • Vulnerability type (XSS / SQL injection / IDOR / auth bypass / SSRF / etc.)
  • Reproduction steps, as detailed as possible
  • Impact (what data can be leaked, what actions can be performed)
  • Suggested fix, if you have one

Response timeline

  • Acknowledgement: within 3 business days
  • Initial assessment: within 7 business days, with a severity rating and fix plan
  • Fix release: critical within 30 days, medium/low in the next release

Severity rating

We use CVSS v3.1:

Severity CVSS Example
Critical 9.0–10.0 unauthenticated RCE / full database leak
High 7.0–8.9 auth bypass / arbitrary cross-user read-write
Medium 4.0–6.9 single-record IDOR / XSS
Low 0.1–3.9 information disclosure / misconfiguration

Built-in protections

Compass is designed with these defences — please keep them in mind when contributing:

  • IDOR defence: every service-layer function takes userId first; every findFirst / findUnique where clause must include userId
  • Zod strict validation: every API input runs through a .strict() schema, rejecting unknown fields
  • bcrypt password hashing: passwords are salted and hashed with bcryptjs, never stored in plaintext
  • NextAuth JWT sessions: session secret read from env, never committed
  • Rate limiting: every API route calls rateLimit() to resist brute force
  • CSRF: NextAuth's built-in CSRF token is enabled
  • HTTP security headers: HSTS / CSP / X-Frame-Options set at the Caddy reverse proxy layer

Supported versions

Version Security updates
latest main
historical tags ❌ — please upgrade to the latest release

Acknowledgement

Reporters who wish to be credited will be thanked in the next release's CHANGELOG entry.

There aren't any published security advisories