Only the latest version is supported.

We take security seriously. If you discover a security vulnerability in Toolbox.io, please report it responsibly.

DO NOT create public GitHub issues for security vulnerabilities.

Instead, please report security issues through one of these channels:

1. Telegram (Preferred): @denis0001_dev
2. Email: support@toolbox-io.ru
3. GitHub Security Advisories: Use GitHub's private vulnerability reporting feature

When reporting a security vulnerability, please include:

• Description: Clear description of the vulnerability
• Impact: Potential impact and severity
• Reproduction: Step-by-step instructions to reproduce
• Environment: Affected versions and configurations
• Proof of Concept: If applicable, include a minimal PoC
• Suggested Fix: If you have ideas for fixing the issue

• Initial Response: Within 24 hours
• Status Update: Within 1 week
• Resolution: Depends on severity and complexity

• JWT-based authentication with secure token handling
• Password hashing using bcrypt
• Rate limiting on all API endpoints
• Token blacklisting for secure logout
• Email verification for account activation

• All sensitive data encrypted at rest
• Client-side encryption for photo storage
• Secure password requirements
• Input validation and sanitization
• SQL injection prevention through ORM

• HTTPS enforcement in production
• CORS properly configured
• Security headers implemented
• Rate limiting to prevent abuse
• Request size limits

• No hardcoded secrets in code
• Environment variables for configuration
• Secure coding practices
• Regular dependency updates
• Code review process

• Dependency vulnerability scanning
• Code security review
• Penetration testing
• Security headers audit
• Authentication flow review

• No sensitive data in code
• Input validation implemented
• Error handling doesn't leak information
• Authentication checks in place
• Rate limiting considered
• SQL injection prevention
• XSS prevention measures

The following are considered out of scope for security reporting:

• Social engineering attacks
• Physical access to devices
• Issues requiring root/admin access
• Issues in third-party dependencies (report to their maintainers)
• Issues in development/staging environments
• Denial of service attacks that don't involve vulnerabilities

We appreciate security researchers who help us improve our security posture. Contributors who report valid security vulnerabilities will be:

• Listed in our security acknowledgments
• Given credit in security advisorie

• Keep the app updated to the latest version
• Use strong, unique passwords
• Enable two-factor authentication where available
• Be cautious with app permissions
• Report suspicious behavior

• Never commit secrets to version control
• Use environment variables for configuration
• Implement proper input validation
• Follow secure coding practices
• Keep dependencies updated
• Use HTTPS in production
• Implement proper error handling

Security updates are released as needed. We follow this process:

1. Discovery: Vulnerability is discovered and reported
2. Assessment: Severity and impact are evaluated
3. Fix Development: Security fix is developed and tested
4. Release: Fixed version is released
5. Communication: Security advisory is published

For security-related questions or concerns:

• General Support & Security: support@toolbox-io.ru
• Owner's Telegram: @denis0001_dev
• GitHub Security: Use GitHub's security features

Thank you for helping keep Toolbox.io secure! 🛡️