We take the security of VeriWorkly seriously and appreciate the efforts of the community in responsibly disclosing vulnerabilities.
We provide security updates for the latest stable release.
| Version | Supported |
|---|---|
| β₯ 3.0.0 | β Yes |
| < 3.0.0 | β No |
Only the most recent major version is actively maintained.
If you discover a security vulnerability, please do not open a public issue.
Instead, report it responsibly:
Send an email to:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact and severity
- Any suggested fixes (optional)
- Acknowledgment: within 24β48 hours
- Investigation: ongoing communication if needed
- Resolution: as quickly as possible based on severity
Once resolved:
- A security advisory may be published
- You will be credited (if desired)
We follow a security-first approach:
User data is not stored unless explicitly required (e.g., sharing features).
We collect only essential data required for authentication and functionality.
- HTTP security headers (Helmet)
- Rate limiting (Redis-backed)
- Input validation (Zod)
Sensitive values (e.g., AUTH_SECRET, JWT_SECRET) must be securely configured via environment variables.
This policy applies to:
- Frontend (Next.js)
- Backend (Express API)
- Infrastructure defined in this repository
We appreciate responsible disclosure and thank contributors for helping keep the project secure.
Built by VeriWorkly with β€οΈ.