| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| < 0.2 | ❌ |
We take security vulnerabilities seriously. Please report security issues responsibly.
- Email: Send details to the maintainers via GitHub security advisories
- GitHub Security Advisories: Use the "Security" tab to report privately
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: Within 24-48 hours
- High: Within 7 days
- Medium: Within 30 days
- Low: Next release cycle
- Acknowledgment of your report
- Regular updates on progress
- Credit in release notes (unless you prefer anonymity)
- Notification when the fix is released
When deploying Pierre Fitness Platform:
- Use HTTPS in production
- Rotate JWT tokens regularly
- Set strong encryption keys (
PIERRE_MASTER_ENCRYPTION_KEY) - Limit OAuth scopes to minimum required
- Enable rate limiting for all endpoints
- Keep dependencies updated (
cargo update,npm update) - Review audit logs regularly
Pierre includes:
- RS256 asymmetric JWT signing (4096-bit keys)
- AES-256-GCM encryption for stored tokens
- PKCE for all OAuth flows
- Rate limiting per tenant
- CSRF protection for web applications
- Atomic token operations (TOCTOU prevention)