| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to: security@zagros-cmms.local
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Authentication: JWT token-based authentication
- Password Hashing: bcrypt with automatic salt
- SQL Injection: Protected via Doctrine ORM parameterized queries
- XSS Protection: React auto-escaping + CSP headers
- CSRF: Tokens implemented for state-changing operations
- Input Validation: Symfony Validator + Zod (frontend)
- Rate Limiting: API and login endpoints rate-limited
- HTTPS: Required in production
- Security Headers: X-Frame-Options, X-Content-Type-Options, etc.
- Docker: No root users in containers
- Database: Not exposed to public internet (internal network only)
- Redis: Password protected, not exposed
- Secrets: Environment variables, never committed to git
- Dependencies: Automated scanning via Dependabot
- Firewall: Only ports 80/443 exposed in production
- Encryption: All passwords hashed before storage
- Token Expiry: JWT tokens expire after 1 hour
- Audit Logs: All critical actions logged
- Backup: Regular database backups (production)
- Never commit secrets to the repository
- Use environment variables for all sensitive data
- Validate all input on both frontend and backend
- Use parameterized queries always
- Keep dependencies updated regularly
- Run security scans before committing
- Follow OWASP Top 10 guidelines
- Use HTTPS in production
- Implement proper error handling (don't leak sensitive info)
- Review code for security issues before merging
- Change all default passwords in
.env - Use strong passwords (minimum 32 characters for secrets)
- Enable firewall on production servers
- Use HTTPS with valid SSL certificates
- Keep software updated (OS, Docker, dependencies)
- Monitor logs for suspicious activity
- Implement backup strategy
- Restrict SSH access
- Use non-root users everywhere
- Regular security audits
- Tokens stored in localStorage (XSS risk if compromised)
- Consider using httpOnly cookies in production for enhanced security
- Currently allows all origins in development
- Must be restricted to specific domains in production
- File upload functionality not yet implemented
- When implemented, will include: file type validation, size limits, virus scanning
Security updates will be released as soon as possible after a vulnerability is confirmed.
Users are encouraged to:
- Watch this repository for security announcements
- Subscribe to release notifications
- Keep installations up to date
- Review CHANGELOG.md for security fixes
We appreciate responsible disclosure of security vulnerabilities.
Contributors who report valid security issues will be acknowledged (unless they prefer to remain anonymous).
For security-related questions: security@zagros-cmms.local
For general questions: info@zagros-cmms.local