We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
If you discover a security vulnerability, please do not open a public issue. Instead, please report it via email to:
Please include the following information in your report:
- Type of vulnerability (e.g., XSS, SQL injection, etc.)
- Full paths of source file(s) related to the vulnerability
- The location of the affected code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability
We will acknowledge receipt of your vulnerability report and work with you to understand and resolve the issue quickly.
When using this template:
- Never commit API keys or secrets to version control
- Use environment variables for sensitive configuration
- Keep dependencies updated regularly
- Review security advisories for dependencies
- Use HTTPS in production
- Implement rate limiting for API endpoints
- Validate and sanitize all user inputs
- Use prepared statements for database queries (Prisma handles this)
- Implement proper authentication if adding user accounts
- Regular security audits of your deployment
When the security team receives a security bug report, they will assign it to a primary handler. This person will coordinate the fix and release process, involving the following steps:
- Confirm the problem and determine the affected versions
- Audit code to find any potential similar problems
- Prepare fixes for all releases still under maintenance
- Publish security advisories for all affected versions
We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.