If you discover a security vulnerability, please report it responsibly:
- Do not open a public GitHub issue
- Open a GitHub Security Advisory
- Include: description, steps to reproduce, potential impact
We will acknowledge your report within 48 hours and aim to release a fix within 7 days for critical issues.
- Authentication bypass
- Data exposure (user data, tokens)
- Injection vulnerabilities (SQL, XSS, command)
- Encryption weaknesses
- Denial of service
- Social engineering
- Issues in dependencies (report upstream)
- JWT tokens with mandatory secret (app refuses to start without
JWT_SECRET) - Fitbit OAuth tokens encrypted at rest (Fernet)
- OAuth state parameters HMAC-signed with 10-minute expiry
- CORS restricted to configured frontend origin
- No secrets in git history