We provide security updates for the following versions:

We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:

1. Do NOT open a public GitHub issue
2. Open a security advisory on GitHub
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if you have one)

• Authentication or authorization flaws
• Data exposure or leakage
• SQL injection or XSS vulnerabilities
• CSRF vulnerabilities
• Insecure API endpoints
• Privacy concerns
• Any other security-related issues

• Issues that require physical access to the device
• Social engineering attacks
• Denial of service (DoS) attacks
• Spam or content issues
• Issues in third-party dependencies (report to them directly)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity (typically 30-90 days)

• We will acknowledge receipt of your report within 48 hours
• We will keep you informed of the progress
• We will credit you in the security advisory (unless you prefer to remain anonymous)
• We will coordinate public disclosure after a fix is available

When using Calmlytic:

1. Keep dependencies updated

   npm audit
   npm update

2. Use environment variables for all secrets

   • Never commit .env.local to git
   • Use strong, unique API keys
   • Rotate keys regularly

3. Enable Row Level Security (RLS) in Supabase

   • Review RLS policies in docs/DATABASE.md
   • Test policies thoroughly

4. Use HTTPS in production

   • Never expose API keys in client-side code
   • Validate all user inputs

5. Regular security audits

   • Run npm audit regularly
   • Review dependencies for vulnerabilities
   • Keep Supabase and Next.js updated

Calmlytic includes several security features:

• ✅ Row Level Security (RLS) on all database tables
• ✅ Environment variable-based configuration
• ✅ Secure authentication via Supabase Auth
• ✅ Encrypted data storage
• ✅ CSRF protection
• ✅ Input validation and sanitization
• ✅ Secure token generation for email unsubscribe

• API Keys: Always use environment variables, never hardcode
• Database: Ensure RLS policies are properly configured
• File Uploads: Image uploads are validated and size-limited
• Email Tokens: HMAC-based tokens with expiration

• Supabase Security
• Next.js Security
• OWASP Top 10

Thank you for helping keep Calmlytic secure! 🔒