We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take the security of Shadway seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- Do not open a public GitHub issue for security vulnerabilities
- Do not disclose the vulnerability publicly until it has been addressed
- Do not exploit the vulnerability for malicious purposes
Please report security vulnerabilities by emailing: moazamdevw@gmail.com
Include the following information:
- Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability and potential attack scenarios
- Any potential solutions you've identified
- Acknowledgment: We will acknowledge your email within 48 hours
- Investigation: We will investigate and validate the vulnerability
- Updates: We will keep you informed of our progress
- Fix Timeline: Critical vulnerabilities will be patched within 7 days
- Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)
When contributing to Shadway, please follow these security guidelines:
- Never hardcode credentials or API keys
- Use environment variables for sensitive data
- Implement proper session management
- Validate user permissions on all protected routes
- Use HTTPS in production
- Sanitize all user inputs
- Validate data on both client and server side
- Prevent SQL/NoSQL injection attacks
- Protect against XSS (Cross-Site Scripting)
- Implement CSRF protection
- Use parameterized queries
- Implement proper access controls
- Never expose database credentials in code
- Regularly backup database
- Monitor for suspicious activities
- Rate limit API endpoints
- Implement proper authentication
- Validate all request data
- Use secure headers
- Log API access for monitoring
- Keep all dependencies up to date
- Regularly audit dependencies for vulnerabilities
- Use
npm auditto check for known issues - Remove unused dependencies
- Avoid exposing sensitive information in error messages
- Implement proper error handling
- Use secure randomness for tokens
- Sanitize file uploads
- Validate URLs before redirects
- HTTPS encryption for all traffic
- Secure database connections
- Environment variable management
- Regular security updates
- NextAuth.js for authentication
- Input validation and sanitization
- Content Security Policy (CSP)
- Rate limiting on API routes
- Secure session management
- Error tracking and logging
- Suspicious activity monitoring
- Regular security audits
- Dependency vulnerability scanning
Once a vulnerability is reported:
- Confirmation: We confirm the vulnerability and its severity
- Fix Development: We develop a fix in a private repository
- Testing: We thoroughly test the fix
- Release: We release a patch version
- Disclosure: We publish a security advisory with:
- Description of the vulnerability
- Affected versions
- Patches available
- Credit to the reporter
- Mitigation steps
Security updates will be released as:
- Critical: Immediate patch release
- High: Patch within 7 days
- Medium: Patch within 30 days
- Low: Included in next regular release
If you discover a security issue in a third-party dependency:
- Report it to the maintainer of that package
- Notify us so we can track and update when patched
- We will monitor the issue and update dependencies accordingly
Before submitting a PR, ensure:
- No credentials or API keys in code
- All user inputs are validated and sanitized
- Authentication and authorization properly implemented
- No SQL/NoSQL injection vulnerabilities
- XSS protection implemented
- CSRF tokens used where needed
- Error messages don't expose sensitive data
- Dependencies are up to date
- Secure headers configured
- Rate limiting on sensitive endpoints
For security concerns, contact:
- GitHub: @moazamtech
We appreciate the security research community and acknowledge those who help keep Shadway secure:
- Security researchers who report vulnerabilities responsibly
- Contributors who follow security best practices
- Tools and services that help us maintain security
Last Updated: January 2025
Thank you for helping keep Shadway and its users safe! 🔒