| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take the security of ConcordBroker seriously. If you discover a security vulnerability, please follow these steps:
- DO NOT create a public GitHub issue
- Email the details to the project maintainer
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- NEVER commit secrets to the repository
- Use environment variables for all sensitive data
- Rotate credentials regularly
- Use Railway/Vercel/Supabase secret stores
- All endpoints require authentication (except /health)
- Implement rate limiting
- Use CORS allowlist for frontend domain
- Validate all input data
- Use parameterized queries to prevent SQL injection
- Enable Row Level Security (RLS) in Supabase
- Use service role keys only in backend
- Never expose database credentials
- Regular backups
- Use Twilio Verify for multi-factor authentication
- JWT tokens with short expiration
- Secure session management
- Password complexity requirements
- Encrypt sensitive data at rest
- Use HTTPS for all communications
- PII data minimization
- GDPR compliance where applicable
- Use Sentry for error tracking
- Monitor for suspicious activity
- Regular security audits
- Dependency vulnerability scanning
- Environment variables configured
- Secrets not in codebase
- RLS enabled in Supabase
- CORS configured correctly
- Authentication implemented
- Input validation in place
- SQL injection prevention
- HTTPS enforced
- Error tracking configured
- Dependencies up to date
We aim to:
- Acknowledge receipt within 48 hours
- Provide initial assessment within 1 week
- Release patches for critical issues ASAP
- Release patches for non-critical issues within 30 days
We follow responsible disclosure:
- Reporter notifies us privately
- We acknowledge and assess
- We develop and test fix
- We release patch
- We publicly disclose with credit to reporter