| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security vulnerabilities to:
- Email: security@example.com
- Response Time: We aim to respond within 48 hours
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Content Security Policy (CSP): Prevents XSS attacks by restricting resource loading
- Markdown Sanitization: User-generated markdown sanitized via rehype-sanitize
- HTTPS Only: All traffic encrypted with TLS 1.3
- Security Headers: X-Frame-Options, X-Content-Type-Options, HSTS
- Dependency Scanning: Automated daily scans via pnpm audit and Snyk
- Error Tracking: Sentry integration with PII redaction
- CORS Configuration: Only allows requests from authorized origins
- Input Validation: All API inputs validated with class-validator
- Authentication: JWT-based authentication with secure token storage
- Rate Limiting: API rate limiting to prevent abuse
- SQL Injection Prevention: TypeScript type safety and parameterized queries
- Automated Updates: Dependabot creates PRs for dependency updates
- CI/CD Security: GitHub Actions with secret scanning
- Environment Isolation: Separate environments for dev/staging/production
- Secret Management: GitHub Secrets for sensitive configuration
- Never commit secrets (API keys, tokens) to the repository
- Run
pnpm auditbefore submitting PRs - Use environment variables for configuration (see .env.example)
- Sanitize all user input before rendering
- Follow OWASP Top 10 guidelines
- Enable 2FA on your GitHub account
- Sign commits with GPG keys
- Critical Patches: Applied within 24 hours
- High Severity: Applied within 1 week
- Medium/Low Severity: Applied during regular dependency updates
- Dependency Updates: Reviewed and merged weekly
For security-related inquiries, contact: security@example.com