🇬🇧 English | 🇪🇸 Español
| Version | Support |
|---|---|
| main | ✅ Active |
| < main | ❌ No support |
DO NOT open a public issue to report security vulnerabilities.
Instead:
- Email the project maintainers with the subject
[SECURITY] ESPAlert — <brief description>. - Include:
- Detailed description of the vulnerability.
- Steps to reproduce.
- Potential impact.
- Possible fix (if you know one).
- You will receive a response within 72 hours.
- API keys and secrets are never stored in the repository.
- All passwords are hashed with bcrypt.
- JWT tokens have configurable expiration.
- The API implements rate limiting with SlowAPI + Redis.
- Security headers (HSTS, CSP, X-Frame-Options) are configured in both FastAPI middleware and Nginx.
- User data complies with GDPR/LOPDGDD (data export and deletion endpoints).
- Docker containers run with non-root user (
appuser).
We follow a coordinated disclosure policy. We appreciate giving us reasonable time to fix the vulnerability before making it public.
All valid security reports will be acknowledged in the CHANGELOG or in the credits of the corresponding release.