We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take the security of PicPeak seriously. If you have discovered a security vulnerability, please follow these steps:
- Opening a security issue on GitHub
- Mark it clearly as "SECURITY" in the title
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment within 48 hours
- Regular updates on our progress
- Credit in the fix announcement (unless you prefer to remain anonymous)
PicPeak implements several security measures:
- JWT-based authentication with secure token storage
- bcrypt password hashing with configurable rounds
- Role-based access control for admin functions
- Session timeout management
- All user inputs are validated and sanitized
- SQL injection prevention through parameterized queries
- XSS protection via Content Security Policy
- File upload restrictions and validation
- API rate limiting to prevent abuse
- Brute force protection on authentication endpoints
- Configurable limits per endpoint
- HTTPS enforcement in production
- Secure cookie settings
- CORS configuration
- Sensitive data encryption
- Regular dependency updates
- Security headers (HSTS, X-Frame-Options, etc.)
- Activity logging for audit trails
- Automated backups
- Always use HTTPS in production
- Change default passwords immediately
- Keep dependencies updated regularly
- Configure firewall rules appropriately
- Monitor logs for suspicious activity
- Backup regularly and test restoration
We believe in responsible disclosure. Once a vulnerability is fixed:
- We'll publish a security advisory
- Credit researchers (with permission)
- Detail the impact and mitigation steps
- Release patches for all supported versions
- Security issues: Create a security issue on GitHub
- General support: GitHub Issues
Thank you for helping keep PicPeak and its users safe!