Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: pavankumar6cs@gmail.com

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Please include the following information:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

When contributing to or deploying SwiftSplit, please follow these security guidelines:

• Never commit .env.local or any file containing secrets
• Always use .env.example as a template
• Rotate Firebase credentials if accidentally exposed

• Enable Firebase Security Rules (see firestore.rules)
• Enable Firebase App Check in production
• Monitor Firebase usage for suspicious activity
• Use Firebase Authentication for all users

• Use the production logger (src/lib/utils/logger.ts) instead of console.log
• Validate all user inputs with Zod schemas
• Sanitize error messages before displaying to users
• Keep dependencies up to date (npm audit)

• Enable HTTPS (automatic with Vercel/Firebase Hosting)
• Add security headers (see next.config.ts)
• Use environment variables for all sensitive data
• Enable branch protection on main branch

• ✅ Firebase Authentication
• ✅ Firestore Security Rules
• ✅ Environment variable protection
• ✅ Error message sanitization
• ✅ Input validation with Zod
• ✅ Production-safe logging

Security updates will be released as needed. Subscribe to this repository's releases to stay informed.

For security-related questions, contact: pavankumar6cs@gmail.com