We release patches for security vulnerabilities for the following versions:

We take the security of Valley Catholic Basketball Stats seriously. If you believe you have found a security vulnerability, please report it to us as described below.

• ❌ Open a public GitHub issue
• ❌ Post about it on social media or public forums
• ❌ Attempt to exploit the vulnerability

• ✅ Email us at: [your-security-email@example.com]
• ✅ Provide detailed information about the vulnerability
• ✅ Give us time to fix it before public disclosure

Please provide the following information:

1. Type of vulnerability (e.g., XSS, SQL Injection, authentication bypass)
2. Affected component(s) (e.g., specific API endpoint, page, feature)
3. Steps to reproduce the vulnerability
4. Proof of concept (if possible, but not required)
5. Potential impact of the vulnerability
6. Suggested fix (if you have one)

Subject: [SECURITY] SQL Injection vulnerability in /api/players endpoint

Description:
The /api/players/<name> endpoint is vulnerable to SQL injection through 
the player name parameter.

Steps to Reproduce:
1. Navigate to /api/players/test' OR '1'='1
2. Observe unauthorized data access

Impact:
An attacker could potentially access or modify database records.

Suggested Fix:
Use parameterized queries instead of string concatenation.

• Within 24 hours: We'll acknowledge receipt of your report
• Within 7 days: We'll provide an initial assessment and estimated timeline
• Within 30 days: We'll release a patch (if confirmed as a vulnerability)

We appreciate security researchers who help keep our project safe. With your permission, we'll:

• Credit you in our CHANGELOG and release notes
• Add you to our security hall of fame (if you wish)
• Provide a reference/testimonial for your work (upon request)

When using this application:

• ✅ Never commit .env files or API keys
• ✅ Use environment variables for sensitive data
• ✅ Keep dependencies up to date
• ✅ Run security scans regularly (bandit, safety)
• ✅ Enable 2FA on your GitHub account
• ✅ Review code changes carefully before merging

• ✅ Use HTTPS in production
• ✅ Set FLASK_DEBUG=False in production
• ✅ Use strong database passwords
• ✅ Enable SSL for database connections
• ✅ Regularly update dependencies
• ✅ Monitor application logs for suspicious activity
• ✅ Implement rate limiting on public APIs

• ✅ Keep your API keys confidential
• ✅ Use strong, unique passwords
• ✅ Be cautious about sharing access
• ✅ Report suspicious behavior immediately

This application requires an OpenAI API key. We:

• ✅ Store it only in environment variables
• ✅ Never log it or expose it in responses
• ✅ Include it in .gitignore via .env

• ✅ Use SQLAlchemy ORM to prevent SQL injection
• ✅ Parameterize all queries
• ✅ Validate and sanitize all inputs

• ✅ Content Security Policy headers
• ✅ HTTPS enforced in production
• ✅ XSS protection via template escaping

• OWASP Top 10
• Flask Security Guidelines
• Python Security Best Practices

For security concerns: [your-security-email@example.com]
For general questions: [your-email@example.com]

Thank you for helping keep Valley Catholic Basketball Stats secure! 🔒🏀