Vibe Prompting takes security seriously. This document outlines our security measures and how to report vulnerabilities.
- Row Level Security (RLS) enabled on all tables
- IDOR Protection: Users can only access their own data
- Secure Functions: PostgreSQL functions use
SECURITY DEFINER - Input Validation: XSS and SQL injection prevention
- Supabase Auth with email verification
- Secure session management
- Password hashing with bcrypt
- JWT token validation
- Environment variables for sensitive keys
- Rate limiting on API endpoints
- CORS configuration
- Secure headers
| Version | Supported |
|---|---|
| 1.x.x | β |
If you discover a security vulnerability, please follow these steps:
Email: [email protected]
- Description: Clear description of the vulnerability
- Steps to Reproduce: Detailed steps to replicate the issue
- Impact: Potential impact and severity
- Proof of Concept: Code or screenshots (if applicable)
- Suggested Fix: Your recommendations (optional)
- Initial Response: Within 48 hours
- Status Update: Every 5 business days
- Resolution Target: 30 days for critical issues
- Accepted: We'll work on a fix and credit you in release notes
- Declined: We'll explain why it's not considered a vulnerability
- Duplicate: We'll reference the original report
- Use strong, unique passwords
- Enable two-factor authentication (when available)
- Keep your browser updated
- Don't share API keys
- Never commit sensitive data (.env files)
- Use environment variables for secrets
- Follow secure coding practices
- Run security linters before PR
For detailed security implementation:
We appreciate responsible disclosure. Security researchers will be:
- Credited in release notes
- Listed in our security acknowledgments
- Given appropriate recognition
For security concerns: [email protected]
Thank you for helping keep Vibe Prompting secure! π