If you discover a security vulnerability in TradeCRM, please report it responsibly. Do not open a public GitHub issue for security vulnerabilities.
Send vulnerability reports to: security@tradecrm.dev
Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours of receiving the report
- Initial assessment: Within 5 business days
- Fix timeline: Depends on severity; critical issues targeted for resolution within 7 days
- We will confirm receipt of your report
- We will investigate and validate the vulnerability
- We will develop and test a fix
- We will release a patch and credit you in the changelog (unless you prefer to remain anonymous)
The following areas are in scope for security reports:
- Authentication and authorization bypass
- SQL injection, XSS, or CSRF vulnerabilities
- Tenant isolation failures (cross-tenant data access)
- API key or credential exposure
- Insecure handling of OAuth tokens
- Privilege escalation between user roles
- Webhook signature verification bypass
The following are out of scope:
- Vulnerabilities in third-party services (Clerk, SendGrid, GupShup, etc.) -- report those to the respective vendors
- Denial of service attacks
- Social engineering
- Issues requiring physical access
- Store all API keys and secrets as environment variables
- Enable HTTPS for all public endpoints
- Set
DEV_MODE=falsein production - Use managed database services with SSL enabled
- Rotate the
ENCRYPTION_KEYperiodically - Review Clerk webhook signatures
- Restrict CORS to your frontend domain only
| Version | Supported |
|---|---|
| 0.1.x | Yes |
We only provide security patches for the latest release.