We recommend always running the latest version to ensure you have the most recent security patches.

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

1. Navigate to the Security tab of this repository
2. Click Report a vulnerability
3. Fill out the form with detailed information
4. Submit the report

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (optional)

We will keep you informed throughout the process and credit you as the discoverer unless you prefer anonymity.

We follow coordinated disclosure:

1. Report privately
2. We investigate and develop a fix
3. We coordinate a disclosure date with you
4. Public advisory published with credit

• Do not publicly disclose until we've addressed the issue
• Do not access or modify other users' data
• Act in good faith

• Clickjacking on pages without sensitive actions
• CSRF on login/logout
• Missing security headers without demonstrated exploit
• Denial of Service attacks
• Social engineering
• Issues in third-party dependencies (report to respective maintainers)

This application implements:

• Authentication: Supabase Auth with secure session management
• Data Encryption: TLS for all data in transit
• Rate Limiting: API protection (Sleeper: 16 req/sec, AI: 30 req/min)
• Input Validation: Server-side validation on all inputs
• CSP Headers: Content Security Policy against XSS
• Dependency Scanning: Dependabot for automated vulnerability detection
• Error Monitoring: Sentry with PII stripping

Thank you for helping keep Quantasy secure.