We actively support and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
- DO NOT create a public GitHub issue for security vulnerabilities
- Email us at: security@connecto.app
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: We'll acknowledge your report within 24-48 hours
- Status Update: We'll keep you updated on our progress
- Resolution: We'll work to fix the vulnerability and release a patch
- Credit: With your permission, we'll credit you in the security advisory
- We follow a coordinated disclosure process
- We request that you give us reasonable time to address the vulnerability before public disclosure
- We aim to release a fix within 30 days of confirmed vulnerability
- Use strong passwords: At least 12 characters with a mix of letters, numbers, and symbols
- Enable 2FA: Two-factor authentication adds an extra layer of security
- Keep credentials private: Never share your login credentials
- Verify URLs: Always check you're on the official Connecto site
- Report suspicious activity: Report any suspicious messages or behavior
If you're contributing to Connecto:
- Never commit secrets: Don't commit API keys, passwords, or tokens to version control
- Use environment variables: Store sensitive data in
.envfiles - Validate input: Always validate and sanitize user input
- Use parameterized queries: Prevent SQL injection by using parameterized queries
- Follow least privilege: Only request necessary permissions
- Secure password hashing using Supabase Auth
- Email verification for new accounts
- Session management with secure tokens
- HTTPS for all connections
- Row-level security (RLS) in Supabase
- Data encryption at rest
- Users control their profile visibility
- Option to delete account and data
- No third-party data sharing
While we perform client-side validation for better UX, all data is also validated on the server side via Supabase. Never rely solely on client-side validation.
- File types are validated server-side
- File size limits are enforced
- Files are scanned for malware before processing
API requests are rate-limited to prevent abuse. If you hit rate limits, wait before making additional requests.
User-generated content is sanitized to prevent XSS attacks. We use React's built-in escaping and additional sanitization for rich content.
- Watch the GitHub repository for releases
- Follow our security advisories
- Update to the latest version regularly
See CHANGELOG.md for security-related updates in each release.
We are committed to:
- GDPR compliance for EU users
- CCPA compliance for California users
- Following OWASP guidelines
- Regular security audits
For security-related inquiries:
- Email: security@connecto.app
- PGP Key: Available upon request
Thank you for helping keep Connecto secure! 🛡️