We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.x.x | ❌ |
We take the security of Code Snippet Manager seriously. If you discover a security vulnerability, please follow these steps:
Please do not create a public GitHub issue for security vulnerabilities.
Send a detailed report to us through one of these channels:
- GitHub Security Advisories: Use the "Report a vulnerability" button in the Security tab
- Private Issue: Create a private security advisory in the repository
Your report should include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution: Depends on severity (see below)
| Severity | Description | Response Time |
|---|---|---|
| Critical | Remote code execution, data breach | 24-48 hours |
| High | Authentication bypass, data exposure | 7 days |
| Medium | Limited data exposure, DoS | 30 days |
| Low | Minor issues, hardening | 90 days |
- Use strong passwords - Minimum 12 characters with mixed case, numbers, and symbols
- Keep your instance updated - Apply security patches promptly
- Use HTTPS - Always deploy with TLS/SSL enabled
- Secure your JWT secret - Use a long, random string for
JWT_SECRET
# Generate a secure JWT secret
JWT_SECRET=$(openssl rand -hex 32)
# Use environment variables for sensitive data
# Never commit secrets to version control- Never commit secrets - Use environment variables
- Validate all inputs - Sanitize user input on both client and server
- Use parameterized queries - Prevent SQL injection
- Implement rate limiting - Prevent brute force attacks
- Keep dependencies updated - Regularly update npm and pip packages
- JWT tokens expire after 24 hours
- Refresh tokens expire after 30 days
- Passwords are hashed using bcrypt
- SQLite database is stored locally
- No data is transmitted to third parties
- User passwords are never stored in plain text
- CORS is configured for specific origins
- Rate limiting should be implemented for production
- All sensitive endpoints require authentication
Security updates will be announced through:
- GitHub Security Advisories
- Release notes
- README updates
We appreciate responsible disclosure and will acknowledge security researchers who:
- Follow this security policy
- Give us reasonable time to fix issues
- Do not exploit vulnerabilities
Thank you for helping keep Code Snippet Manager secure!