We take the security of LearnMate seriously. This document outlines our security policy, supported versions, and how to report vulnerabilities.
We actively maintain and provide security updates for the following versions:
| Version | Supported | Status |
|---|---|---|
| 1.2.x | ✅ Active support | Current stable release |
| 1.1.x | ✅ Security fixes only | Previous stable |
| 1.0.x | ❌ End of life | Upgrade required |
| < 1.0 | ❌ Not supported | - |
| Version | Supported | Status |
|---|---|---|
| 2.1.x | ✅ Active support | Current stable release |
| 2.0.x | ✅ Security fixes only | Previous stable |
| 1.x.x | ❌ End of life | Upgrade required |
| < 1.0 | ❌ Not supported | - |
| Version | Supported | Status |
|---|---|---|
| 1.1.x | ✅ Active support | Current stable release |
| 1.0.x | ✅ Security fixes only | Previous stable |
| 0.x.x | ❌ Beta/Experimental | Not recommended for production |
Note: We recommend always using the latest stable version to receive the most up-to-date security patches and features.
We appreciate the security community's efforts in helping us maintain a secure platform. If you discover a security vulnerability in LearnMate, please follow these guidelines:
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please report security issues through one of these channels:
- Email (Preferred): security@learnmate.ai
- Private GitHub Advisory: Use GitHub's private vulnerability reporting feature
- Direct Message: Contact maintainers directly on GitHub
Please provide the following information in your report:
- Description: Clear description of the vulnerability
- Impact: Potential impact and severity assessment
- Steps to Reproduce: Detailed steps to reproduce the issue
- Affected Versions: Which versions are affected
- Proof of Concept: Code or screenshots demonstrating the vulnerability (if applicable)
- Suggested Fix: Your recommendations for fixing the issue (optional)
- Your Details: Name and contact information for acknowledgment (optional)
Subject: [SECURITY] Brief description of vulnerability
**Vulnerability Type**: [e.g., SQL Injection, XSS, Authentication Bypass]
**Severity**: [Critical/High/Medium/Low]
**Affected Component**: [Frontend/Backend/AI Service]
**Description**:
[Detailed description of the vulnerability]
**Steps to Reproduce**:
1. [Step 1]
2. [Step 2]
3. [Step 3]
**Impact**:
[What an attacker could potentially do]
**Affected Versions**:
[List of affected versions]
**Proof of Concept**:
[Code snippet, screenshot, or detailed explanation]
**Suggested Fix**:
[Your recommendations, if any]
We are committed to responding to security reports promptly:
| Timeline | Action |
|---|---|
| Within 24 hours | Initial acknowledgment of your report |
| Within 72 hours | Preliminary assessment and severity classification |
| Within 7 days | Detailed response with our evaluation and action plan |
| Within 30 days | Security patch release (for confirmed vulnerabilities) |
| Within 90 days | Public disclosure (after fix is deployed) |
We use the following severity levels:
- 🔴 Critical: Immediate threat to user data or system integrity (e.g., remote code execution, authentication bypass)
- 🟠 High: Significant security risk (e.g., privilege escalation, SQL injection)
- 🟡 Medium: Moderate security concern (e.g., XSS, CSRF)
- 🟢 Low: Minor security issue (e.g., information disclosure, rate limiting bypass)
- Acknowledgment: We'll confirm the vulnerability and classify its severity
- Timeline: We'll provide an estimated timeline for the fix
- Updates: Regular updates on our progress (at least weekly)
- Credit: You'll be credited in our security acknowledgments (if desired)
- Patch Release: We'll release a security patch and notify users
- Public Disclosure: After users have had time to update (typically 30-90 days)
- Explanation: We'll provide a detailed explanation of why we don't consider it a vulnerability
- Alternative: If applicable, we'll suggest filing a feature request or bug report
- Discussion: We're open to further discussion if you disagree with our assessment
LearnMate implements multiple layers of security:
- ✅ Content Security Policy (CSP) headers
- ✅ XSS protection through React's built-in escaping
- ✅ HTTPS-only in production
- ✅ Secure cookie handling
- ✅ Input sanitization and validation
- ✅ No sensitive data in client-side storage
- ✅ JWT authentication with secure token storage
- ✅ bcrypt password hashing (10+ rounds)
- ✅ Rate limiting (100 requests per 15 minutes per IP)
- ✅ Helmet.js for security headers
- ✅ CORS with whitelist configuration
- ✅ Express-validator for input validation
- ✅ MongoDB injection prevention through Mongoose
- ✅ Environment variable protection
- ✅ Secure session management
- ✅ Input sanitization for ML models
- ✅ Rate limiting on AI endpoints
- ✅ Model file integrity checks
- ✅ Logging and monitoring
- ✅ Isolated service architecture
- ✅ Resource usage limits
- ✅ Regular dependency updates
- ✅ Automated security scanning (Dependabot)
- ✅ HTTPS/TLS encryption
- ✅ Database encryption at rest
- ✅ Regular backups
- ✅ Access control and principle of least privilege
We're transparent about current security limitations:
- API Rate Limiting: Currently set to 100 requests per 15 minutes; may need tuning for production scale
- File Upload: Not yet implemented; will require careful validation when added
- Password Reset: Uses email-based reset; consider adding 2FA in the future
- Session Management: JWT tokens don't have revocation without database lookups
- Two-factor authentication (2FA)
- OAuth integration (Google, GitHub)
- Advanced anomaly detection
- API key rotation system
- Enhanced audit logging
- Security headers hardening
- Automated penetration testing
We gratefully acknowledge security researchers who have responsibly disclosed vulnerabilities:
No vulnerabilities have been reported yet. Be the first to help secure LearnMate!
- OWASP Top 10
- Node.js Security Best Practices
- React Security Best Practices
- MongoDB Security Checklist
- Strong Passwords: Use unique passwords for LearnMate (min 8 characters, mix of letters, numbers, symbols)
- Account Security: Log out after using shared computers
- Suspicious Activity: Report any suspicious activity immediately
- Updates: Keep your browser and operating system updated
For security-related inquiries:
- Security Email: security@learnmate.ai
- General Support: support@learnmate.ai
- GitHub Issues: For non-security bugs only
- Response Time: Within 24 hours for security reports
This security policy is reviewed and updated quarterly. Last updated: November 2024
Changes to this policy will be announced through:
- GitHub repository notifications
- Project changelog
- Security mailing list (opt-in)
We appreciate the security community's efforts and follow responsible disclosure practices. Thank you for helping make LearnMate secure for all users.
Remember: Security is a shared responsibility. If you see something, say something!
This document is based on industry best practices and adapted for the LearnMate project.