Currently, these versions of SendAny receive security updates:
| Version | Supported |
|---|---|
| 0.1.x | β |
SendAny's security is a priority. If you discover a security vulnerability, please follow these guidelines:
DO NOT create a public issue for security vulnerabilities.
Instead:
- Use GitHub Security Advisories: Go to Security Advisories and create a private advisory
- Direct email: Contact maintainers via email (if available)
- Provide details: Include as much information as possible about the vulnerability
When reporting a vulnerability, include:
- Vulnerability type: XSS, SQL Injection, CSRF, etc.
- Detailed description: How the vulnerability works
- Steps to reproduce: How to demonstrate the vulnerability
- Potential impact: What damage could be caused
- Fix suggestions: If you have ideas for fixing
- Evidence: Screenshots, logs, or proof-of-concept
- Acknowledgment: We'll confirm receipt within 24-48 hours
- Initial assessment: We'll evaluate severity within 2-5 days
- Development: We'll work on the fix
- Coordinated disclosure: We'll work with you on public disclosure timing
- Release: We'll release the fix and appropriate credit
We're particularly interested in vulnerabilities related to:
- Authentication bypass: Bypassing Stack Auth
- SQL Injection: In database queries
- XSS: Cross-site scripting in user inputs
- File upload vulnerabilities: Uploading malicious files
- Access control: Accessing other users' workspaces
- Data exposure: Sensitive data leakage
- CSRF: Cross-site request forgery
- Open redirect: Malicious redirects
- Information disclosure: Minor information leakage
- Rate limiting bypass: Bypassing API limits
- Session management: Session-related issues
- Database exposure: PostgreSQL/Neon misconfiguration
- Google Drive API abuse: Misuse of integration
- Environment variable exposure: Secret leakage
- DoS attacks: Denial of service attacks
The following activities are NOT considered vulnerabilities:
- Self-XSS: Requiring victim interaction to execute own code
- Social engineering: Attacks depending on human manipulation
- Physical attacks: Physical device access
- Brute force: Brute force attacks on passwords
- Missing security headers: Missing security headers without exploitation demonstration
- Clickjacking: On pages without sensitive actions
- Content spoofing: Without practical impact demonstration
For valid security contributions, we offer:
- Public credit: Your name in SECURITY.md and changelog
- GitHub Security Advisory: Official mention
- Swag: Stickers or t-shirts (We are analyzing options)
- Priority: Prioritized bug fixes
- GitHub Security Advisories: Link
- Email: rosielvictor.dev@gmail.com
- Response time: 24-48 hours for initial acknowledgment
As a SendAny user, you can help maintain security:
- Dependencies: Keep dependencies updated
- Environment variables: Never commit secrets
- Input validation: Always validate user inputs
- Authentication: Use Stack Auth correctly
- HTTPS: Always use HTTPS in production
- Strong passwords: Use strong passwords for workspaces
- Sensitive data: Don't share confidential information
- Public links: Be careful with public workspaces
- Google Drive: Review permissions regularly
SendAny already implements several security measures:
- Authentication: Stack Auth with JWT
- Password hashing: bcrypt for workspace passwords
- Input validation: Zod schemas for validation
- File type validation: File type validation on upload
- CORS: Proper CORS configuration
- SQL parameterization: Parameterized queries to prevent SQL injection
- Automatic updates: Dependencies are updated regularly via Dependabot
- Security patches: Security patches are prioritized
- Disclosure: Vulnerabilities are disclosed after fixes
Last updated: 2025-08-21
Thank you for helping keep SendAny secure! π