Skip to content

Security: SandeepVashishtha/Eventra

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
Latest (master)
Older releases

Reporting a Vulnerability

Do not open a public GitHub issue for security vulnerabilities.

Primary Path — GitHub Private Vulnerability Reporting

Use GitHub's built-in private advisory mechanism:

  1. Go to the Security tab of this repository.
  2. Click "Report a vulnerability".
  3. Fill in the details — affected component, steps to reproduce, and potential impact.
  4. Submit. Maintainers will be notified privately and will respond within 72 hours.

Fallback — If Private Reporting Is Unavailable

If the Security tab is disabled or inaccessible, email the maintainer directly:

Encrypt sensitive details if possible. Do not share reproduction steps or proof-of-concept code in any public channel until a fix is released.

What to Include in Your Report

  • Affected file(s), module, or endpoint
  • Steps to reproduce the vulnerability
  • Potential impact (data exposure, privilege escalation, DoS, etc.)
  • Your suggested fix or mitigation (optional but appreciated)

Disclosure Policy

  • Maintainers will acknowledge receipt within 72 hours.
  • A fix target will be communicated within 7 days of confirmation.
  • Public disclosure will happen only after a patch is released, coordinated with the reporter.
  • Credit will be given to the reporter in the release notes unless anonymity is requested.

Out of Scope

  • Vulnerabilities in dependencies (report upstream; open a public issue here to track)
  • Issues requiring physical access to a device
  • Social engineering attacks

JWT Refresh Token Expiration Rules

  • Enforce secure cookie attributes for persistent auth sessions.

Client-side Security Configuration Validation

Eventra performs a lightweight validation of important client-side security configuration during application startup.

The validator checks:

  • HTTPS API endpoint configuration
  • Required environment variables
  • Authentication configuration
  • Content Security Policy (CSP) presence

The validation utility reports configuration warnings during development to help contributors identify missing or insecure settings. It complements existing backend security controls and should not be considered a replacement for server-side validation.

For general bugs or feature requests, open a regular GitHub issue.

There aren't any published security advisories