| Version | Supported |
|---|---|
| 1.0.x | ✅ |
If you discover a security vulnerability, please do the following:
- DO NOT open a public issue
- Email the maintainers directly at: [your-email@example.com]
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and work with you to resolve the issue.
- Never commit
.envfiles with real credentials - Use strong JWT secrets - generate with crypto.randomBytes()
- Rotate API keys regularly
- Use HTTPS in production
- Keep dependencies updated - run
npm auditregularly - Limit API key permissions - use minimum required scopes
- Monitor usage - watch for unusual activity
- Validate all inputs - never trust user input
- Use parameterized queries - prevent SQL injection
- Sanitize outputs - prevent XSS attacks
- Implement rate limiting - prevent abuse
- Encrypt sensitive data - use proper encryption
- Use HTTPS only - no plain HTTP in production
- Keep secrets secret - never log sensitive data
- User API keys are encrypted using AES-256-GCM
- Encryption key must be kept secure
- Never expose MASTER_ENCRYPTION_KEY
- JWT tokens expire after 7 days by default
- Tokens are signed with HS256
- Change JWT_SECRET in production
- API endpoints have rate limits
- Adjust based on your needs
- Monitor for abuse
- CSV files limited to 10MB
- Only .csv files accepted
- Files are validated before processing
- We will acknowledge receipt within 48 hours
- We will provide a fix timeline within 7 days
- We will credit reporters (unless they prefer anonymity)
- We will publish security advisories for critical issues
Thank you for helping keep VoxFlow.ai secure! 🔒