We actively support the following versions of DevScope:

We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please:

1. Email us directly: Send details to security@devscope.dev (if available) or create a private GitHub security advisory
2. Include details:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if you have one)
3. Allow time for response: We'll acknowledge receipt within 48 hours
4. Coordinate disclosure: We'll work with you on responsible disclosure

• Authentication bypass
• Privilege escalation
• SQL injection
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Remote code execution
• Information disclosure
• API key exposure
• Session hijacking

When contributing to DevScope:

• Never commit .env files
• Use .env.example for templates
• Rotate API keys regularly
• Use strong, unique passwords

• Validate all user inputs
• Sanitize data before database operations
• Use parameterized queries
• Implement proper error handling
• Keep dependencies updated

• Always use HTTPS in production
• Implement rate limiting
• Validate JWT tokens properly
• Use appropriate CORS settings
• Log security events

Our backend implements security headers:

# Example security middleware
app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://yourdomain.com"],
    allow_credentials=True,
    allow_methods=["GET", "POST", "PUT", "DELETE"],
    allow_headers=["*"],
)

We use tools to monitor dependencies:

• npm audit for Node.js packages
• pip-audit for Python packages
• Dependabot for automated updates
• Snyk for vulnerability scanning

1. Identify vulnerability through reports or scanning
2. Assess impact and affected versions
3. Develop fix and test thoroughly
4. Prepare security advisory with details
5. Release patch with security fix
6. Notify users of the update
7. Publish advisory after users have time to update

We believe in responsible disclosure and will:

• Acknowledge your report within 48 hours
• Provide regular updates on our progress
• Credit you in our security advisory (if desired)
• Work with you on coordinated disclosure timing

• Security Email: security@devscope.dev (preferred)
• GitHub Security Advisories: Use GitHub's private reporting feature
• General Issues: For non-security issues, use our public GitHub issues

We appreciate security researchers and users who help keep DevScope secure. Your responsible disclosure helps protect all users of the platform.

# Always use HTTPS URLs in production
SUPABASE_URL=https://your-project.supabase.co
FRONTEND_URL=https://your-domain.com

# Use strong, unique secrets
SECRET_KEY=your-long-random-secret-key
JWT_SECRET=your-jwt-secret-from-supabase

# Restrict CORS to your domains only
BACKEND_CORS_ORIGINS=https://your-domain.com,https://www.your-domain.com

• Enable Row Level Security (RLS) on all tables
• Configure proper auth policies
• Use service role key only in backend
• Rotate keys regularly

• Use GitHub Apps instead of personal access tokens when possible
• Implement webhook signature verification
• Store private keys securely
• Use minimal required permissions

This security policy is subject to updates. Please check back regularly for the latest information.