If you discover a security vulnerability in PackForge, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please use one of these methods:

1. GitHub Security Advisories (preferred): Go to the Security tab and click "Report a vulnerability"
2. Email: Contact the maintainer directly via their GitHub profile

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 1 week
• Fix timeline: Depends on severity, typically within 2 weeks for critical issues

The following are in scope:

• The PackForge web application (packforge.org)
• Supabase RLS policies and SECURITY DEFINER RPCs
• Authentication and authorization flows
• Client-side security (XSS, CSRF, injection)
• Dependency vulnerabilities

The following are out of scope:

• Third-party services (Supabase infrastructure, Vercel platform, Open-Meteo API)
• Social engineering attacks
• Denial of service attacks
• Issues in dependencies that don't affect PackForge

PackForge employs the following security measures:

• Row Level Security (RLS) on all database tables
• Content Security Policy (CSP) via meta tag
• Security headers via Vercel configuration (HSTS, X-Frame-Options, etc.)
• Input sanitization on all user inputs
• NIST 800-63B password policy with breach detection
• MFA/TOTP support with backup codes
• Client-side rate limiting on all mutations
• Automated scanning: Snyk, OSV-Scanner, Trivy, TruffleHog, Dependabot