This project is currently pre-1.0 and evolves quickly. Security fixes are only guaranteed on the latest state of the default branch.
| Version | Supported |
|---|---|
main or latest default branch |
Yes |
| Older branches, forks, and unpublished snapshots | No |
If you discover a security vulnerability:
- Do not open a public GitHub issue or pull request with exploit details.
- Prefer GitHub Security Advisories or Private Vulnerability Reporting if that feature is enabled for the repository.
- If no private reporting channel is available in the repository you are using, contact the maintainers privately.
- If you cannot identify a private channel safely, open a minimal public issue requesting a secure contact path without disclosing the vulnerability.
Please include:
- A clear summary of the issue
- The affected area or files
- Impact and severity assessment
- Reproduction steps or proof of concept
- Required preconditions
- Any suggested remediation
Maintainers will try to:
- Acknowledge the report within 5 business days
- Validate and triage the issue as quickly as practical
- Keep the reporter informed about major status changes
- Coordinate disclosure after a fix or mitigation is available
Please avoid public disclosure until maintainers have had a reasonable opportunity to investigate and remediate the issue.
Security reports may include vulnerabilities involving:
- Backend API behavior in
backend/ - Frontend code in
frontend/ - Prisma schema and database access logic
- Config loading and runtime overrides using
CI_* - Cron, websocket, and fetcher execution flows
- Secret handling and auth-related fetcher configuration
- Dependency vulnerabilities with a practical impact on this repository
Reports are less useful when they only describe:
- Best-practice suggestions without a concrete exploit path
- Problems in third-party services that are outside this repository's control
- Local-only weaknesses that require full access to a contributor's machine and do not affect the repository or shipped code
Good-faith research is welcome. Please:
- Minimize access to data that is not your own.
- Avoid actions that damage availability, integrity, or confidentiality.
- Stop once you have confirmed the issue.
- Do not exfiltrate, modify, or publicly disclose sensitive data.
Contributors must not commit real secrets or operational data.
Be especially careful with:
backend/.envDATABASE_URLGITHUB_TOKENNEWS_API_KEYSOCIAL_API_TOKEN- Mail provider credentials or future API keys added to environment configuration
Before pushing changes:
- Check that no local
.envfile is staged. - Check that no SQLite database, log file, export, or debug artifact is staged.
- Sanitize screenshots, logs, and payload examples included in issues or PRs.
If you believe a credential has been exposed:
- Revoke or rotate it immediately.
- Remove it from the proposed change set.
- Notify the maintainers through a private channel.
When contributing code, also review the security impact of:
- Changes to
backend/config/fetchers.json, especiallyrequiresAuthandauthEnvVar - Changes to
backend/config/scheduler.jsonthat alter execution frequency or operational blast radius - Changes to
backend/prisma/schema.prismathat affect stored data, retention, or exposure - Changes to API response shapes, websocket payloads, or raw response storage
- New dependencies added to the root, backend, or frontend package manifests
When applicable, run the relevant project checks before opening a PR:
npm run test --prefix backendnpm run typecheck --prefix backendnpm run lint --prefix frontendnpm run build
Keep dependencies current and review advisories before merging sensitive changes.
If a dependency issue affects this repository in practice, report it through the same private process described above.