DevCred takes security seriously. Here's how we protect your data:

• All OAuth tokens are encrypted at rest using AES-256-GCM
• Encryption keys are stored separately from the database
• Tokens are only decrypted in memory during sync operations

• We only store aggregate contribution counts (commits, PRs, issues, reviews)
• No commit messages, code, or file contents are ever stored
• No personal information beyond what's necessary for account management

• OAuth 2.0 for all platform integrations (no PATs required)
• Session-based authentication with secure cookies
• CSRF protection on all forms

• HTTPS enforced on all endpoints
• Rate limiting on public API endpoints
• Regular dependency updates and security audits

We appreciate responsible disclosure of security vulnerabilities.

1. DO NOT create a public GitHub issue for security vulnerabilities
2. Email security concerns to: sahilpatel2339@gmail.com (or create a private security advisory on GitHub)
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Any suggested fixes (optional)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 1 week
• Resolution Timeline: Depends on severity
  • Critical: 24-48 hours
  • High: 1 week
  • Medium: 2 weeks
  • Low: Next release cycle

While we don't currently have a formal bug bounty program, we will:

• Credit you in our security acknowledgments (if desired)
• Provide a reference letter for significant findings

1. Keep your encryption key secure - Never commit TOKEN_ENCRYPTION_KEY to version control
2. Use strong secrets - Generate AUTH_SECRET and CRON_SECRET with sufficient entropy
3. Review OAuth permissions - Only grant the minimum necessary scopes
4. Monitor connected accounts - Regularly review which accounts are connected
5. Keep dependencies updated - Run npm audit regularly

OAuth tokens from connected platforms are stored encrypted in the database. While this provides strong protection at rest, be aware that:

• Anyone with database access AND the encryption key can decrypt tokens
• Token refresh happens automatically; ensure your refresh token rotation policies are adequate

The /api/widget/[username]/* endpoints are intentionally public (for embedding). They:

• Only expose aggregate statistics (counts)
• Are rate-limited to prevent abuse
• Are cached to reduce database load

The /api/cron/daily endpoint requires a CRON_SECRET bearer token. Ensure this secret is:

• Sufficiently long (32+ characters)
• Rotated periodically
• Not shared or logged

Thank you for helping keep DevCred secure!