Current version is v0.1.0 (pre-release). Security updates will be provided for the latest version.

Do NOT open public issues for security vulnerabilities.

If you discover a security vulnerability, please disclose it responsibly:

1. Email: security@[your-domain] (or direct message the maintainers)
2. Include: Description, steps to reproduce, and impact
3. Response: We will acknowledge within 48 hours and provide a fix timeline

This platform handles sensitive documents and user accounts. Key security measures:

• Password hashing with bcrypt (salt rounds: 12)
• Session-based auth with httpOnly cookies
• 14-day session expiration
• CSRF protection on all mutation endpoints

• Admin endpoints require ADMIN_TOKEN header
• Rate limiting on all API routes
• All user content requires moderation before going live

• No credentials in repository
• Environment variables for all secrets
• Signed R2 URLs for file access (time-limited)
• SQL injection protection via Prisma ORM

• No personal data of users is exposed
• Email is not collected (username-only accounts)
• IPs logged only for security purposes

Before deploying:

• Set strong ADMIN_TOKEN
• Enable HTTPS
• Set REGISTRATION_OPEN=false for private deployments
• Configure database connection with SSL
• Review CORS settings
• Set up log monitoring

We appreciate responsible security research. If you find a vulnerability:

• Don't access other users' data
• Don't degrade service performance
• Give us reasonable time to respond
• Don't disclose publicly until fixed

Valid security reports will be credited in our release notes.