Security is a top priority at DocumentStack. We take the security of our systems and our users' data seriously. This document outlines our security policy and how to report vulnerabilities.

We provide security updates for the following versions:

Recommendation: Always use the latest stable version to receive all security updates.

Please DO NOT report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability, please report it to us privately:

Send details to security@documentstack.com with:

1. Description - What is the vulnerability?
2. Impact - What can an attacker do?
3. Affected versions - Which versions are vulnerable?
4. Reproduction steps - How can we reproduce it?
5. Proof of concept - Code or detailed steps
6. Suggested fix - If you have one (optional)

Subject: [SECURITY] Brief description of the issue

- Type of vulnerability (e.g., XSS, CSRF, injection, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it

• 24 hours - Initial response acknowledging receipt
• 72 hours - Preliminary assessment and severity classification
• 7 days - Detailed response with remediation plan
• 30 days - Target for patch release (critical issues faster)

The following are in scope for vulnerability reports:

• DocumentStack API - Server-side vulnerabilities
• Client Libraries - @documentstack/* npm packages
• Template Engine - Template injection, XSS, etc.
• Authentication/Authorization - Access control issues
• Data exposure - Sensitive information leaks
• Denial of Service - Resource exhaustion
• Dependency vulnerabilities - In production dependencies

The following are typically not considered security issues:

• Vulnerabilities in outdated/unsupported versions
• Issues requiring physical access to user devices
• Social engineering attacks
• Theoretical vulnerabilities without proof of exploitability
• Vulnerabilities in third-party services we don't control
• Issues already reported or being addressed
• Spam or social engineering
• Denial of Service without clear exploitation path

We appreciate security researchers who help keep DocumentStack secure:

Security researchers who responsibly disclose vulnerabilities will be:

• Acknowledged in our security advisories (with permission)
• Listed in our Hall of Fame (coming soon)
• Credited in release notes

We are currently evaluating a bug bounty program. Stay tuned for updates!

When using DocumentStack:

1. Keep Updated - Always use the latest stable version
2. Secure API Keys - Never expose keys in client-side code or public repos
3. Environment Variables - Store credentials in env vars, not in code
4. HTTPS Only - Always use HTTPS in production
5. Input Validation - Validate and sanitize all user input before templating
6. Template Safety - Be cautious with user-provided template data
7. Access Control - Implement proper authentication and authorization
8. Rate Limiting - Protect your endpoints from abuse
9. Monitoring - Monitor for unusual API usage patterns

When contributing code:

1. Input Validation - Validate all input
2. Output Encoding - Properly encode output
3. SQL Injection - Use parameterized queries
4. XSS Prevention - Sanitize user content
5. CSRF Protection - Implement CSRF tokens
6. Dependency Audit - Run npm audit regularly
7. Secrets - Never commit secrets or API keys
8. Secure Defaults - Default to secure configurations
9. Error Handling - Don't leak sensitive info in errors
10. Code Review - All code goes through security review

• Regular Audits - Periodic security audits of our codebase
• Dependency Scanning - Automated dependency vulnerability scanning
• Static Analysis - Code is analyzed for security issues
• Penetration Testing - Regular third-party security testing
• Secure Development - Security-focused development practices
• Encryption - Data encrypted in transit and at rest
• Access Control - Principle of least privilege
• Monitoring - 24/7 security monitoring
• Incident Response - Documented incident response procedures

• OWASP Top 10 - https://owasp.org/www-project-top-ten/
• CWE/SANS Top 25 - https://cwe.mitre.org/top25/
• NIST Guidelines - https://www.nist.gov/cybersecurity

• Security Issues: security@documentstack.com
• General Security Questions: security@documentstack.com
• PGP Key: Available on request

This security policy may be updated from time to time. Please check back regularly for updates.

Last Updated: January 2026

Thank you for helping keep DocumentStack and our users safe! 🛡️