We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 2.x.x | β Yes |
| 1.x.x | β No |
- JWT Authentication: Secure token-based authentication with rotation
- OAuth Integration: Google and GitHub OAuth 2.0 support
- Role-Based Access: Admin and user permission levels
- Password Security: Argon2 hashing with salt for maximum security
- Rate Limiting: Configurable request rate limits
- CORS Protection: Cross-origin request security
- Input Validation: Comprehensive data sanitization with Zod
- API Key Management: Secure API key generation and validation
- HTTPS Enforcement: Automatic SSL/TLS with Caddy
- Docker Security: Multi-stage builds with minimal attack surface
- Environment Isolation: Secure environment variable management
- Database Security: Parameterized queries preventing SQL injection
We take security seriously. If you discover a security vulnerability, please follow these steps:
- Email: security@dxbmark.com
- Subject: [SECURITY] LicenseGate Vulnerability Report
- Encryption: PGP key available on request
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the private vulnerability report
- Description: Clear description of the vulnerability
- Impact: Potential impact and affected components
- Reproduction: Step-by-step reproduction instructions
- Environment: Version, OS, and configuration details
- Proof of Concept: Code or screenshots (if applicable)
- Initial Response: Within 24 hours
- Vulnerability Assessment: Within 72 hours
- Fix Development: 1-7 days (depending on severity)
- Security Release: As soon as fix is ready and tested
- Remote code execution
- Authentication bypass
- Data breach potential
- Response Time: Immediate (within 24 hours)
- Privilege escalation
- Sensitive data exposure
- Response Time: Within 72 hours
- Information disclosure
- Denial of service
- Response Time: Within 1 week
- Minor information leaks
- Response Time: Within 2 weeks
We appreciate security researchers who help keep LicenseGate secure:
No vulnerabilities reported yet - be the first!
- Critical: Public recognition + $100 bounty
- High: Public recognition + $50 bounty
- Medium: Public recognition
- Low: Public recognition
Bounties are subject to verification and responsible disclosure
- Use HTTPS: Always deploy with SSL/TLS certificates
- Secure Environment Variables: Never commit secrets to version control
- Regular Updates: Keep dependencies and system packages updated
- Database Security: Use strong passwords and restrict network access
- Backup Security: Encrypt backups and store securely
# Strong JWT secret (minimum 32 characters)
JWT_SECRET=your-super-secure-random-string-min-32-chars
# Secure database connection
DATABASE_URL=mysql://user:strong-password@localhost:3306/licensegate
# SMTP security
SMTP_USERNAME=your-secure-email@domain.com
SMTP_PASSWORD=your-app-specific-password- Use HTTPS redirect URIs only
- Regularly rotate OAuth client secrets
- Monitor OAuth application permissions
- Implement proper scope restrictions
- Dependency Scanning: Automated vulnerability scanning with npm audit
- Code Analysis: Static analysis for security issues
- Penetration Testing: Regular security assessments
- Access Reviews: Periodic review of user permissions
- Failed Login Attempts: Monitoring and alerting
- API Rate Limiting: Automatic blocking of suspicious activity
- Audit Logging: Comprehensive activity logging
- Error Monitoring: Security-relevant error tracking
For security-related questions or concerns:
- Security Team: security@dxbmark.com
- General Contact: support@dxbmark.com
- GitHub: @TariqSaid
Last Updated: November 6, 2024
Security Policy Version: 1.0
Next Review: February 6, 2025