Choosy takes security seriously as we handle user data, location information, and facilitate real-time group interactions. We are committed to protecting our users' privacy and maintaining the integrity of our platform.

We actively maintain security for the following versions:

• Authentication and authorization systems
• User data handling and privacy
• API security (rate limiting, input validation)
• Database security and injection vulnerabilities
• Real-time voting system integrity
• Location data protection
• Third-party API integrations
• Session management and token security

• Third-party services (Eventbrite, Ticketmaster APIs)
• User device security
• Social engineering attacks
• Physical security
• DNS/hosting provider issues

1. Do NOT create a public GitHub issue for security vulnerabilities
2. Do NOT discuss the vulnerability publicly until it's been addressed
3. Do NOT attempt to access data that doesn't belong to you

Email: Report to maintainer directly (contact information in profile) Response Time: We aim to acknowledge within 48 hours Investigation: Full investigation within 7 days Fix Timeline: Critical issues patched within 30 days

Please include:

**Vulnerability Type**: [e.g., SQL Injection, XSS, Authentication Bypass]
**Affected Component**: [e.g., Voting API, User Authentication]
**Severity**: [Critical/High/Medium/Low]
**Steps to Reproduce**:
1. [Step 1]
2. [Step 2]
3. [Step 3]

**Impact**: [Description of potential impact]
**Proof of Concept**: [Code, screenshots, or detailed explanation]
**Suggested Fix**: [If you have recommendations]

• Critical: Immediate system compromise, data breach risk
• High: Significant security impact, user data at risk
• Medium: Limited security impact, requires authentication
• Low: Minimal security impact, theoretical vulnerabilities

• Input Validation: All user inputs are validated and sanitized
• Rate Limiting: API endpoints protected against abuse
• Authentication: JWT-based secure authentication
• Database Security: Parameterized queries prevent SQL injection
• HTTPS: All production traffic encrypted in transit
• CORS Protection: Proper cross-origin request handling
• Security Headers: CSP, XSS protection, and security headers implemented

• Location Privacy: GPS coordinates handled securely
• User Data: Minimal data collection with explicit consent
• Phone Numbers: Encrypted storage and limited access
• Voting Privacy: Anonymous voting with privacy controls
• Session Security: Secure session management and timeout

• Environment Separation: Development and production isolation
• Secret Management: API keys and secrets properly managed
• Database Encryption: Sensitive data encrypted at rest
• Audit Logging: Security events logged and monitored
• Regular Updates: Dependencies updated regularly

• Never commit API keys, passwords, or secrets
• Use environment variables for sensitive configuration
• Validate and sanitize all user inputs
• Follow secure coding practices
• Use parameterized database queries
• Implement proper error handling without information disclosure

• Include security testing in your development process
• Test input validation thoroughly
• Verify authentication and authorization controls
• Check for common vulnerabilities (OWASP Top 10)

• Keep all dependencies up to date
• Monitor for known vulnerabilities in dependencies
• Use tools like npm audit or safety for vulnerability scanning
• Review dependency changes for security implications

While we don't currently have a formal bug bounty program, we:

• Acknowledge security researchers in our security hall of fame
• Provide public recognition for significant discoveries (with permission)
• Consider financial rewards for critical vulnerabilities on a case-by-case basis

Security researchers acting in good faith will not face legal action for:

• Reporting vulnerabilities through proper channels
• Testing on their own accounts with minimal impact
• Following responsible disclosure practices
• Not accessing other users' data

For security questions that don't involve vulnerabilities:

• Open a GitHub issue with the security label
• Contact the maintainer for sensitive discussions

For general security guidance:

• Review our CONTRIBUTING.md for security requirements
• Follow our CODE_OF_CONDUCT.md for professional behavior

Last Updated: August 2024
Next Review: December 2024