ExamVault takes security seriously. We handle educational data and enforce strict access controls.

• Mandatory 2FA: All accounts are required to use TOTP (Time-based One-Time Password) via Google Authenticator or similar apps.
• JWT Sessions: Stateless, signed sessions using HS256.
• HIBP Integration: All new passwords are checked against the "Have I Been Pwned" breach database using k-Anonymity.

• Rate Limiting: IP-based rate limiting (5 req/min on Auth endpoints) to prevent brute-force attacks.
• RBAC: Strict Role-Based Access Control enforcing teacher vs student permissions.
• Security Headers: HSTS, Content-Security-Policy, X-Frame-Options (DENY), and X-XSS-Protection are enforced globally.

• Encryption: Passwords hashed with Bcrypt. 2FA secrets stored encrypted.
• Sanitization: All inputs validated to prevent SQL Injection and XSS.

If you discover a security vulnerability, please DO NOT open a public issue.

1. Email the maintainers directly at security@examvault.com (or the repository owner's contact).
2. Provide a proof-of-concept (PoC).
3. We will acknowledge receipt within 48 hours and provide a timeline for a fix.

• DoS/DDoS attacks.
• Social Engineering attacks.
• Physical access attacks.