We release patches for security vulnerabilities for the following versions:

We take the security of Radar seriously. If you discover a security vulnerability, please follow these steps:

Security vulnerabilities should not be disclosed publicly until a fix is available.

Send details to: security@wbfoss.org

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)
• Your contact information

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: 24-48 hours
  • High: 7 days
  • Medium: 14 days
  • Low: 30 days

• We will acknowledge your report within 48 hours
• We will provide regular updates on our progress
• Once a fix is available, we will:
  1. Deploy the fix
  2. Publish a security advisory
  3. Credit you (if you wish) in the advisory

• No User Data Storage: We do not store user data beyond OAuth sessions
• No Database: All data is in Git, version-controlled and auditable
• Environment Variables: Secrets managed via environment variables (never committed)

• GitHub OAuth: Secure authentication via Auth.js (NextAuth)
• API Protection: All write operations require authentication
• CSRF Protection: Built into Auth.js
• Rate Limiting: Implemented at middleware level

• Zod Schemas: All inputs validated with strict schemas
• Allowlists: Tags and licenses validated against allowlists
• URL Validation: Repository and website URLs validated
• File Size Limits: Logo files limited to 200 KB
• Content Sanitization: All user content sanitized

• HTTPS Only: All traffic over HTTPS
• Security Headers:
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • X-XSS-Protection: 1; mode=block
  • Referrer-Policy: strict-origin-when-cross-origin
• Webhook Verification: HMAC signature verification for GitHub webhooks
• Dependency Scanning: Automated via Dependabot

• Branch Protection: Main branch requires reviews and passing CI
• Signed Commits: Recommended (not required)
• DCO: Contributor agreement via sign-off
• Secrets Management: GitHub Secrets for sensitive data

• Security vulnerabilities in the application code
• Authentication/authorization bypasses
• XSS, CSRF, injection vulnerabilities
• Information disclosure
• Denial of service (if reproducible)

• Issues in dependencies (report to maintainers directly)
• Social engineering attacks
• Physical security
• Spam/abuse of submission form (report via normal channels)
• Issues requiring physical access to infrastructure

1. Never commit secrets (API keys, tokens, passwords)
2. Validate all inputs before processing
3. Use parameterized queries (if adding database features)
4. Avoid eval() and similar dangerous functions
5. Keep dependencies updated

1. No executable code in TOML files
2. Validate URLs before adding
3. Check file sizes for logos
4. No external resources loaded at runtime

1. Use .env.local for local secrets (never commit)
2. Rotate tokens regularly
3. Minimum permissions for GitHub tokens (public_repo only)
4. Webhook secrets should be random, high-entropy strings

None currently. Check Security Advisories for updates.

Subscribe to security advisories:

• Watch this repository
• Enable notifications for security updates
• Follow @wbfoss for announcements

• Security Email: security@wbfoss.org
• General Contact: community@wbfoss.org
• GitHub: https://github.com/wbfoss/fossradar

We appreciate security researchers who responsibly disclose vulnerabilities. Contributors will be credited in:

• Security advisories
• CHANGELOG
• Hall of Fame (if desired)

Thank you for helping keep Radar secure!