We actively maintain security for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
- ✅ Secure Password Hashing: Using bcrypt with proper salt generation
- ✅ JWT Security: HS256 algorithm with strict validation, 1-hour expiration
- ✅ Rate Limiting: Login attempt limiting (5 attempts per 5 minutes)
- ✅ Token Revocation: Blacklist system for compromised tokens
- ✅ Session Management: Secure session handling with environment-based secrets
- ✅ File Upload Security: JSON validation with size and format restrictions
- ✅ Path Traversal Prevention: Filename sanitization in export functions
- ✅ XSS Prevention: Input sanitization and output encoding
- ✅ SQL Injection Prevention: Parameterized queries (where applicable)
- ✅ Secure Random Generation: Using os.urandom() for nonces and tokens
- ✅ AES-GCM Encryption: Ready for sensitive data encryption if needed
- ✅ PBKDF2 Key Derivation: For password-based key generation
- ✅ Security Headers: Comprehensive HTTP security headers
- ✅ Content Security Policy: XSS and injection attack prevention
- ✅ HTTPS Enforcement: Strict Transport Security headers
- ✅ Frame Protection: Clickjacking prevention
- ✅ Secure Logging: Log injection prevention and sanitization
- ✅ Error Handling: Secure error messages without information disclosure
- ✅ Audit Trail: Authentication and critical action logging
- ✅ ZIP Bomb Protection: Controlled file creation in ZIP exports
- ✅ Temporary File Cleanup: Automatic cleanup of uploaded files
- ✅ Directory Traversal Prevention: Sanitized file paths
We take security seriously. If you discover a security vulnerability, please follow these steps:
Please do not report security vulnerabilities through public GitHub issues.
Email security concerns to: [email protected]
Include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes (if available)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Critical issues within 30 days
We follow a coordinated disclosure policy:
- We'll acknowledge receipt of your report
- We'll investigate and develop a fix
- We'll test the fix thoroughly
- We'll deploy the fix to production
- We'll publicly acknowledge your contribution (if desired)
- Keep dependencies updated
- Use environment variables for secrets
- Enable HTTPS in production
- Regularly review access logs
- Implement proper backup procedures
- Use strong, unique passwords
- Enable two-factor authentication where possible
- Regularly update the application
- Monitor for suspicious activity
- Use secure hosting environments
The following known vulnerabilities have been mitigated:
| CVE ID | Description | Status |
|---|---|---|
| CVE-2020-36242 | Weak bcrypt implementation | ✅ Fixed |
| CVE-2013-7370 | Static IV in AES encryption | ✅ Fixed |
| CVE-2019-17571 | Logging injection vulnerabilities | ✅ Fixed |
| GHSA-ffqj-6fqr-9h24 | Insecure JWT decoding | ✅ Fixed |
| GHSA-c7hr-j4mj-j2w6 | JWT "none" algorithm acceptance | ✅ Fixed |
| GHSA-gw9q-c7gh-j9vm | ZIP path traversal vulnerability | ✅ Fixed |
| GHSA-gwrp-pvrq-jmwv | Unvalidated relative paths in ZIP | ✅ Fixed |
For security-related questions or concerns:
- Email: [email protected]]
- GitHub: @azurejoga
Last updated: June 26, 2025 Security policy version: 1.0