Do NOT open a public GitHub issue for security vulnerabilities!
We take security seriously. If you discover a security vulnerability in Hashify, please report it responsibly to us.
-
Email: Send a detailed report to security@cit.org.in
- Include the vulnerability details
- Steps to reproduce
- Potential impact
- Your contact information
-
PGP Encryption (Optional):
- Contact us for our public key
- Encrypt sensitive information
-
GitHub Security Advisory (If you prefer):
- Go to Security Advisories
- Click "Report a vulnerability"
Please provide:
- Description: Clear explanation of the vulnerability
- Location: Where in the code is the issue?
- Steps to Reproduce: Detailed steps to trigger the vulnerability
- Impact: How severe is this issue?
- Proof of Concept: If applicable, provide a PoC
- Suggested Fix: If you have one
- Initial Response: Within 48 hours
- Assessment: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 24-48 hours
- High: 3-7 days
- Medium: 1-2 weeks
- Low: As scheduled
- Disclosure: Coordinated disclosure after patch release
- Arbitrary code execution
- Complete data compromise
- System-wide impact
- Affects all users
Fix: Immediate release
- Authentication bypass
- Authorization bypass
- Major data exposure
- Affects many users
Fix: Within days
- Moderate data exposure
- Limited functionality impact
- Affects some users
- Workaround available
Fix: Within weeks
- Minor information disclosure
- Edge case vulnerability
- Limited user impact
- No workaround needed
Fix: Next scheduled release
When using Hashify:
- Keep dependencies updated
- Use HTTPS for all communications
- Sanitize user inputs
- Implement rate limiting
- Use strong encryption
- Monitor for anomalies
- Report security issues responsibly
- Expose API keys or secrets
- Use Hashify as sole security measure
- Ignore security updates
- Commit sensitive data
- Skip input validation
- Trust client-side validation alone
- Share vulnerability details publicly before patch
- Input Validation: All inputs validated
- XSS Prevention: Sanitization in place
- CSRF Protection: Tokens where applicable
- Rate Limiting: Prevent abuse
- Secure Headers: Security headers configured
- Dependency Scanning: Regular vulnerability checks
- Code Review: All changes reviewed
- MD5: Legacy algorithm, suitable for non-cryptographic use
- SHA-256: Cryptographically secure
- SHA-512: Cryptographically secure
We regularly audit dependencies for vulnerabilities:
npm auditUpdates are applied:
- Critical: Immediately
- High: Within 48 hours
- Medium: Within 1 week
- Low: Monthly review
The application includes:
X-Content-Type-Options: nosniffX-Frame-Options: DENYX-XSS-Protection: 1; mode=blockStrict-Transport-Security: max-age=31536000Content-Security-Policy: default-src 'self'
- Transport: All traffic uses HTTPS/TLS
- Storage: No sensitive data stored locally without encryption
- Hashing: Uses Web Crypto API for cryptographic operations
- No user data is logged or stored
- No tracking or analytics that identify users
- All hashing is done client-side
- No third-party services have access to user data
We practice responsible disclosure:
- Report privately to security team
- Acknowledge receipt within 48 hours
- Investigate thoroughly
- Fix the vulnerability
- Test the fix
- Release patch version
- Disclose after users have time to update
- Credit responsible reporter (optional)
For security concerns:
- π§ Email: security@cit.org.in
- π Private Report: Use GitHub Security Advisory
- π¬ Questions: GitHub Discussions
- LICENSE - MIT License
- CODE_OF_CONDUCT.md - Community guidelines
- CONTRIBUTING.md - Contribution guidelines
- README.md - Project documentation
Thank you to all security researchers who responsibly report vulnerabilities. Your help makes Hashify safer for everyone. π
Last Updated: November 11, 2025