| Version | Supported |
|---|---|
| 1.0.x | ✅ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to: [your-email@example.com]
You should receive a response within 48 hours. If for some reason you do not, please follow up to ensure we received your original message.
Please include:
- Type of issue (e.g. SQL injection, XSS, etc.)
- Full paths of source file(s) related to the issue
- Location of the affected source code
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue
When deploying Mummy:
- Never commit
.envfiles to version control - Use environment variables for all secrets
- Enable Twilio signature verification in production
- Use HTTPS for all webhook endpoints
- Regularly update dependencies
- Monitor logs for suspicious activity
- Implement rate limiting (already included)
- Keep MongoDB access restricted
- Use strong, unique API keys
- Enable MongoDB authentication
Mummy includes several security features:
- Input sanitization - Prevents injection attacks
- Rate limiting - Prevents abuse (20 req/min per user)
- Twilio signature verification - Ensures authentic requests
- Security headers - Prevents common web vulnerabilities
- Phone number validation - Prevents invalid inputs
- Request size limits - Prevents DoS attacks
- Structured logging - Helps identify security issues
Mummy handles sensitive health information. Ensure:
- Encrypted connections (HTTPS, MongoDB TLS)
- Access controls - Users can only see their own data
- Data minimization - Only collect necessary data
- Regular backups with encryption
- Compliance with relevant health data regulations
- User consent for data collection
When we receive a security bug report, we will:
- Confirm the problem and determine affected versions
- Audit code to find similar problems
- Prepare fixes for all supported versions
- Release new versions as soon as possible
Thank you for helping keep Mummy secure! 🔒