At LogWard, we prioritize the security of our users' data and strive to maintain a robust and secure platform. If you discover any potential threats or vulnerabilities in our system, we kindly ask that you notify us immediately.

1. Email: Send an email to [email protected] with details of the discovered vulnerability.

2. Include:

   • A detailed description of the vulnerability
   • Steps to reproduce the issue
   • Any potential impact or exploitability
   • Your contact information for follow-up

• Do Not Exploit: Do not take advantage of the vulnerability for personal gain or to harm the platform or its users.
• No Data Destruction: Do not delete or destroy any data while investigating the vulnerability.
• Confidentiality: Keep the details of any discovered vulnerabilities confidential until they are resolved.
• Good Faith: Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.

We are committed to:

• Acknowledging your report within 48 hours
• Working with you to understand and validate the issue
• Keeping you informed of our progress in resolving the issue
• Crediting you in our security acknowledgments (if desired)
• Not pursuing legal action against researchers who follow these guidelines

We provide security updates for the following versions:

When self-hosting LogWard, we recommend:

1. Keep LogWard updated to the latest version
2. Use HTTPS for all connections
3. Secure your database with strong passwords and network isolation
4. Enable rate limiting (configured by default)
5. Regularly rotate API keys
6. Monitor access logs for suspicious activity
7. Use environment variables for sensitive configuration (never commit secrets)

LogWard includes several built-in security features:

• API Key Authentication with SHA-256 hashing
• Session-based Authentication with secure token generation
• Rate Limiting on all endpoints
• Input Validation using Zod schemas
• SQL Injection Protection via parameterized queries (Kysely)
• XSS Protection via Content Security Policy headers
• CORS Configuration for cross-origin requests
• Helmet.js for HTTP security headers

For any security-related questions or concerns, please contact us at [email protected].