Last Updated: 2026-03-15 | Version: 1.0
We actively maintain security updates for the following versions:
| Version | Supported |
|---|---|
| 1.5.x | β Active |
| 1.4.x | β Security fixes only |
| 1.3.x | |
| < 1.3 | β Not supported |
Please do NOT report security vulnerabilities through public GitHub issues.
- Email: security@progresstracker.app
- Subject:
[SECURITY] Brief description of the vulnerability - Include (as much as possible):
- Type of vulnerability (XSS, SQLi, CSRF, etc.)
- Affected URL/endpoint
- Steps to reproduce
- Potential impact
- Suggested fix (optional)
| Timeframe | Action |
|---|---|
| 24 hours | Acknowledgment of your report |
| 72 hours | Initial assessment of severity |
| 7 days | Fix timeline communication |
| 30 days | Public disclosure (after fix is deployed) |
- β NextAuth.js with secure session management
- β Password hashing with bcryptjs (12 rounds)
- β OAuth 2.0 for social logins
- β JWT tokens with short expiry
- β Refresh token rotation
- β Two-factor authentication (TOTP)
- β All data encrypted in transit (TLS 1.3)
- β Sensitive tokens encrypted at rest (AES-256)
- β Password never stored in plaintext
- β API keys hashed before storage
- β PII fields encrypted in database
- β Rate limiting: 100 req/15min per IP
- β Input validation with Zod schemas
- β SQL injection prevention via Prisma ORM
- β XSS protection via React's built-in escaping
- β CSRF protection via NextAuth
- β HTTPS enforced everywhere
- β Security headers (CSP, HSTS, X-Frame-Options)
- β Dependency vulnerability scanning (npm audit)
- β Automated security updates via Dependabot
We recognize security researchers who responsibly disclose vulnerabilities:
No public vulnerabilities reported yet.
We follow a 90-day responsible disclosure policy:
- Fix deployed within 30 days (typically much faster)
- Public disclosure after fix is deployed
- Credit given to reporter (with permission)
π§ Contact: security@progresstracker.app