Security Policy
Reporting a Vulnerability
We take security vulnerabilities seriously. If you discover a security issue, please follow responsible disclosure practices:
Do not open a public GitHub issue for security vulnerabilities.
Instead, email your findings directly to the team lead:
- Archit Jain (@0xarchit) - Team Lead
Include:
- Description of the vulnerability
- Steps to reproduce (if applicable)
- Potential impact
- Suggested fix (if you have one)
Security Best Practices
When contributing to CityTrack, please follow these security guidelines:
Authentication & Authorization
- Never hardcode credentials or API keys
- Use environment variables for sensitive data
- Implement proper role-based access control (RBAC)
Data Protection
- All images and GPS data must be encrypted in transit (HTTPS/TLS)
- User authentication must use Supabase Auth
- Implement rate limiting on API endpoints
Code
- Keep dependencies updated
- Run security audits regularly
- Use parameterized queries to prevent SQL injection
- Validate all user inputs
Infrastructure
- Deploy in secure, containerized environments
- Use environment variables for configuration
- Implement proper logging and monitoring
- Regular security updates for all services
Supported Versions
- MVP Release (v0.1.x): Security updates will be provided
Disclosure Timeline
- Report: Contact the team immediately
- Acknowledgment: Within 48 hours
- Fix & Release: Target 7-14 days for critical issues
- Public Disclosure: After fix is released
Thank you for helping keep CityTrack secure!