English | Français | 中文 | Español | 日本語 | Português | Deutsch | 한국어

If you discover a security vulnerability, please report it responsibly:

1. Do not open a public GitHub issue
2. Send an email to security@macaron-software.com
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

We will acknowledge receipt within 48 hours and provide a detailed response within 7 days.

• JWT-based authentication with token refresh
• Role-Based Access Control (RBAC): admin, project_manager, developer, viewer
• OAuth 2.0 integration (GitHub, Azure AD)
• Session management with secure cookie handling

• Prompt injection guard on all LLM inputs
• Input sanitization on all API endpoints
• SQL parameterized queries (no raw SQL interpolation)
• File path traversal protection

• Secret scrubbing in agent outputs (API keys, passwords, tokens)
• No secrets stored in source code or logs
• Environment-based configuration for sensitive values
• SQLite WAL mode for data integrity

• Content Security Policy (CSP) headers
• CORS configuration for API endpoints
• Rate limiting per user/IP
• HTTPS enforced in production (via Nginx)

• Regular dependency audits via pip-audit
• SAST scanning with bandit and semgrep
• Automated security missions per project (weekly scans)

We follow coordinated disclosure. After a fix is released, we will:

1. Credit the reporter (unless anonymity is requested)
2. Publish a security advisory on GitHub
3. Update the changelog with security fixes