We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:

We take security vulnerabilities seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

1. Create a private GitHub Security Advisory at github.com/flurdy/sortingoffice/security/advisories
2. Contact us via our contact form at ltrbx.io/flurdy.com
3. PGP keys are available at keybase.io/flurdy for encrypted communication

Include detailed information about the vulnerability:

• Description of the issue
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Initial response within 48 hours
• Regular updates on the status of the issue
• Credit in the security advisory (if desired)
• Coordination for responsible disclosure

We follow responsible disclosure practices:

1. Private reporting - Report vulnerabilities privately first
2. Timeline - We aim to fix critical issues within 30 days
3. Coordination - We work with reporters on disclosure timing
4. Credit - We credit security researchers in advisories

• Session-based authentication with secure cookies
• Role-based access control (ReadOnly, Edit, Admin)
• Session expiration and secure session management
• Password hashing using bcrypt

• Input validation and sanitization
• SQL injection prevention through parameterized queries
• XSS protection through proper output encoding
• CSRF protection for state-changing operations

• Connection encryption for database connections
• Prepared statements for all database queries
• Access control at the application level
• Audit logging for sensitive operations

• HTTPS enforcement in production
• Comprehensive security headers implementation:
  • X-Content-Type-Options: nosniff - Prevents MIME type sniffing
  • X-Frame-Options: DENY - Prevents clickjacking attacks
  • X-XSS-Protection: 1; mode=block - Enables XSS protection
  • Referrer-Policy: strict-origin-when-cross-origin - Controls referrer information
  • Content Security Policy: Comprehensive CSP with safe defaults for scripts, styles, and resources
  • Strict-Transport-Security: Added for production environments (HSTS)
• Rate limiting for API endpoints

1. Keep updated - Always use the latest stable version
2. Secure deployment - Use HTTPS in production
3. Strong passwords - Use complex passwords for admin accounts
4. Regular backups - Maintain secure backups of your data
5. Access control - Limit access to authorized personnel only

1. Security reviews - All code changes undergo security review
2. Dependency scanning - Regular vulnerability scans
3. Testing - Comprehensive security testing
4. Documentation - Security considerations documented

Security advisories are published on:

• GitHub Security Advisories: https://github.com/flurdy/sortingoffice/security/advisories
• Project website: [Coming soon]
• Email notifications: For critical vulnerabilities

Our security team can be reached at:

• GitHub Security Advisories: github.com/flurdy/sortingoffice/security/advisories
• Contact Form: ltrbx.io/flurdy.com
• PGP Keys: keybase.io/flurdy

We currently do not have a formal bug bounty program, but we do offer:

• Recognition in security advisories
• Swag for significant security contributions
• Credit in release notes

Sorting Office is designed with security in mind and can be deployed in environments requiring:

• GDPR compliance - Data protection and privacy features
• SOC 2 - Security controls and audit trails
• ISO 27001 - Information security management

Before deploying Sorting Office in production:

• Use HTTPS with valid certificates
• Configure secure session settings
• Set up proper firewall rules
• Enable database encryption
• Configure secure backup procedures
• Set up monitoring and alerting
• Review and customize access controls
• Test security features thoroughly

• OWASP Top 10: We follow OWASP security guidelines
• Rust Security: We follow Rust security best practices
• Database Security: We implement database security best practices

Security is a shared responsibility. Thank you for helping keep Sorting Office secure!