| Version | Supported |
|---|---|
| 2.x | yes |
| < 2.0 | no |
Please report vulnerabilities privately and do not open public issues for security problems.
- Security email:
security@amlak-web.com - GitHub advisory: Create a private advisory
Include the following in your report:
- Affected component and version
- Clear reproduction steps
- Expected vs actual behavior
- Impact assessment
- Optional mitigation suggestion
- Initial acknowledgement: within 24 hours
- Triage decision: within 48 hours
- Fix timeline: usually 7-14 days (depends on severity)
- JWT authentication with expiration
- Role-based access checks for admin endpoints
- Password hashing via bcrypt
- Login and registration rate limiting
- Request payload size limits
- File upload type and size checks
- Environment-based CORS policy
- Use HTTPS only in production
- Set strong
JWT_SECRET(required) - Restrict
ALLOWED_ORIGINSto trusted domains - Keep dependencies updated
- Rotate credentials periodically
- Store secrets only in environment variables
We follow responsible disclosure:
- Private report
- Verification and severity assessment
- Patch and validation
- Coordinated public disclosure if needed