We actively support and provide security updates for the following versions:

We take the security of Real-Time Launchpad seriously. If you have discovered a security vulnerability, please report it as described below.

Please do not file public GitHub issues for security vulnerabilities.

Instead, report security vulnerabilities privately by:

1. Email: Contact the maintainer directly at: [put email here]
2. GitHub Security: Use GitHub's Security Advisory feature

When reporting a vulnerability, please provide:

• Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
• Full paths of affected source files
• Step-by-step instructions to reproduce the issue
• Proof-of-concept exploit code (if possible)
• Potential impact of the vulnerability
• Suggested fix (if any)

• Initial Response: Within 24-48 hours
• Status Update: Within 5 business days
• Resolution: As soon as possible, depending on severity

We use the following severity classifications:

• Critical: Remote code execution, authentication bypass, data disclosure
• High: SQL injection, cross-site scripting (XSS), privilege escalation
• Medium: Information disclosure, CSRF, insecure dependencies
• Low: Minor security weaknesses, best practice violations

• Always validate and sanitize user input
• Use parameterized queries to prevent SQL injection
• Implement proper authentication and authorization
• Keep dependencies up to date
• Use HTTPS in production
• Implement rate limiting where appropriate
• Follow the principle of least privilege

• Keep your dependencies up to date
• Use environment variables for sensitive configuration
• Never commit secrets or API keys to version control
• Regularly review access logs and security monitoring
• Use strong, unique passwords for all accounts

This project implements several security measures:

• Server Actions: Type-safe server-side operations
• Input Validation: Automatic validation on all user inputs
• CSRF Protection: Built-in protection against cross-site request forgery
• Security Headers: Configured via proxy.ts for enhanced security
• Dependency Scanning: Regular updates to address known vulnerabilities

When we receive a security bug report, we will:

1. Confirm the issue and determine affected versions
2. Audit code to identify any potential similar problems
3. Prepare a fix and test it thoroughly
4. Issue a security advisory and release the fix
5. Credit the reporter (if desired)

We aim to resolve critical issues within 7 days and communicate progress regularly.

Security researchers who responsibly report vulnerabilities will be:

• Credited in release notes (if desired)
• Listed in our SECURITY.md contributors section
• Subject to our appreciation and thanks

• Next.js Security Best Practices
• React Security Guidelines
• OWASP Top 10
• Node.js Security Best Practices

For security-related questions or concerns:

• Email: [put email here]
• GitHub Security: Private Vulnerability Report

Thank you for helping keep Real-Time Launchpad secure!