We release patches for security vulnerabilities. Currently supported versions:

The SOM Music team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

1. Email: Send details to yousufmoha255@gmail.com

   • Use subject line: [SECURITY] Brief description of issue
   • Include detailed information about the vulnerability

2. WhatsApp: Contact us at +252 90 668 0955

   • Mark your message as urgent
   • Provide clear details about the security concern

To help us better understand and resolve the issue, please include:

• Type of issue (e.g., XSS, CSRF, SQL injection, etc.)
• Full paths of source file(s) related to the issue
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• Acknowledgment: We'll acknowledge receipt of your report within 48 hours
• Communication: We'll keep you informed about our progress
• Timeline: We aim to resolve critical issues within 7 days
• Credit: We'll credit you in our security advisories (unless you prefer to remain anonymous)

1. Keep Dependencies Updated

   npm audit
   npm audit fix

2. Environment Variables

   • Never commit .env files to version control
   • Use strong, unique API keys
   • Rotate API keys regularly

3. HTTPS Only

   • Always use HTTPS in production
   • Enable HSTS headers

4. Content Security Policy

   • Implement CSP headers to prevent XSS attacks
   • Regularly review and update CSP rules

1. Code Review

   • All code changes require review before merging
   • Security-sensitive changes require additional scrutiny

2. Dependencies

   • Regularly update dependencies
   • Review dependency security advisories
   • Use npm audit before committing

3. Input Validation

   • Validate and sanitize all user inputs
   • Use parameterized queries for database operations
   • Implement proper error handling

4. Authentication & Authorization

   • Use secure authentication mechanisms
   • Implement proper session management
   • Follow principle of least privilege

• OMDb API Key: Currently hardcoded in the application
  • Risk: Low (read-only public API with rate limits)
  • Recommendation: Move to environment variables for production

• Usage: Storing favorites and theme preferences
  • Risk: Low (no sensitive data stored)
  • Note: Data is client-side only and not transmitted

1. OMDb API

   • External movie database API
   • No user data transmitted
   • Rate-limited to prevent abuse

2. Formspree

   • Contact form backend
   • Only transmits user-provided contact information
   • Ensure HTTPS is used

1. Vulnerability Identified

   • Internal discovery or external report
   • Severity assessment (Critical, High, Medium, Low)

2. Patch Development

   • Develop fix in private repository
   • Test thoroughly
   • Prepare security advisory

3. Release

   • Release patched version
   • Publish security advisory
   • Notify affected users

4. Post-Release

   • Monitor for exploitation attempts
   • Update documentation
   • Review security practices

Before deploying to production:

• All dependencies are up to date
• npm audit shows no vulnerabilities
• Environment variables are properly configured
• HTTPS is enabled
• CSP headers are configured
• API keys are not exposed in client-side code
• Error messages don't leak sensitive information
• Rate limiting is implemented
• CORS is properly configured
• Security headers are set (X-Frame-Options, X-Content-Type-Options, etc.)

• OWASP Top 10
• React Security Best Practices
• npm Security Best Practices

• npm audit: Check for known vulnerabilities
• Snyk: Continuous security monitoring
• OWASP ZAP: Web application security scanner

We recognize and thank security researchers who help keep SOM Music secure:

No security issues have been reported yet.

For security-related questions or concerns:

• Security Email: yousufmoha255@gmail.com
• WhatsApp: +252 90 668 0955

Please use these contacts for security issues only. For general questions, please use GitHub Issues.

This security policy may be updated from time to time. Please check back regularly for updates.

Last Updated: December 22, 2025

Thank you for helping keep SOM Music and our users safe! 🔒✨