| # Security Policy |
|
|
| ## Reporting a Vulnerability |
|
|
| We take security vulnerabilities seriously. If you discover a security issue, please follow responsible disclosure practices: |
|
|
| **Do not open a public GitHub issue for security vulnerabilities.** |
|
|
| Instead, email your findings directly to the team lead: |
| - **Archit Jain** (@0xarchit) - Team Lead |
|
|
| Include: |
| - Description of the vulnerability |
| - Steps to reproduce (if applicable) |
| - Potential impact |
| - Suggested fix (if you have one) |
|
|
| ## Security Best Practices |
|
|
| When contributing to CityTrack, please follow these security guidelines: |
|
|
| ### Authentication & Authorization |
| - Never hardcode credentials or API keys |
| - Use environment variables for sensitive data |
| - Implement proper role-based access control (RBAC) |
|
|
| ### Data Protection |
| - All images and GPS data must be encrypted in transit (HTTPS/TLS) |
| - User authentication must use [Supabase Auth](https://supabase.com) |
| - Implement rate limiting on API endpoints |
|
|
| ### Code |
| - Keep dependencies updated |
| - Run security audits regularly |
| - Use parameterized queries to prevent SQL injection |
| - Validate all user inputs |
|
|
| ### Infrastructure |
| - Deploy in secure, containerized environments |
| - Use environment variables for configuration |
| - Implement proper logging and monitoring |
| - Regular security updates for all services |
|
|
| ## Supported Versions |
|
|
| - **MVP Release (v0.1.x):** Security updates will be provided |
|
|
| ## Disclosure Timeline |
|
|
| - **Report:** Contact the team immediately |
| - **Acknowledgment:** Within 48 hours |
| - **Fix & Release:** Target 7-14 days for critical issues |
| - **Public Disclosure:** After fix is released |
|
|
| --- |
|
|
| Thank you for helping keep CityTrack secure! |
|
|
