Only the latest commit on main is actively supported. There are no versioned releases yet.
Please do not open a public GitHub issue for security vulnerabilities.
Unforgettable stores personal saved content — URLs, text snippets, screenshots, and OCR-extracted text. A vulnerability here is a real privacy risk to real users. We take that seriously.
Email: security@unforgettable.app (or open a private GitHub Security Advisory if email is unavailable)
Include:
- A clear description of the vulnerability
- Steps to reproduce
- Potential impact (what an attacker could access or do)
- Your suggested fix if you have one
- You'll receive an acknowledgement within 48 hours
- We'll investigate and keep you updated as we work on a fix
- Once a fix is deployed, we'll credit you in the release notes (unless you prefer anonymity)
We ask that you give us reasonable time to fix the issue before any public disclosure. We'll aim to resolve critical issues within 7 days and high severity within 14 days.
| Property | How it's enforced |
|---|---|
| User data isolation | Every query includes WHERE user_id = $1 — cross-user access is structurally impossible |
| SQL injection | Parameterised queries only — no string interpolation in SQL |
| Auth tokens | HTTP-only cookies — not accessible from JavaScript |
| Passwords | bcrypt (rounds: 12) — never stored in plaintext |
| Input validation | Zod schemas on all API inputs — malformed requests are rejected before reaching business logic |
| XSS | React's default escaping — no dangerouslySetInnerHTML anywhere in the codebase |
| CSRF | NextAuth.js handles CSRF token validation |
| User content | Never sent to external APIs — all processing (OCR) happens on-server in Docker |
| Infrastructure | PostgreSQL runs in Docker — not exposed to public internet in production |
- Rate limiting bypasses in local development environments
- Issues in
documentation/files (not executable) - Theoretical vulnerabilities with no practical exploit path
- Findings from automated scanners with no manual verification