We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.x.x | ❌ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to the project maintainer. You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information in your report:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Acknowledgment: We'll acknowledge receipt of your vulnerability report within 48 hours
- Assessment: We'll assess the vulnerability and determine its severity within 7 days
- Fix Development: We'll work on a fix and keep you updated on progress
- Disclosure: Once a fix is available, we'll coordinate disclosure timing with you
- Credit: We'll credit you in the security advisory (unless you prefer to remain anonymous)
- Never commit
.envfiles or API keys to version control - Use environment variables for all sensitive configuration
- Rotate API keys regularly
- Use separate API keys for development and production
- The studio uses JWT tokens for authentication with the Clypra API
- Tokens are stored in
localStorage- clear them when logging out - Admin access requires proper JWT token with
isAdmin: trueclaim - Never share your authentication tokens
- Regularly update dependencies to get security patches
- Review dependency updates for security advisories
- Use
npm auditto check for known vulnerabilities
- Use HTTPS in production
- Set proper CORS headers in the API
- Enable Content Security Policy (CSP) headers
- Use environment-specific configuration
- Don't expose sensitive endpoints publicly
- JWT tokens are stored in
localStorage - Consider using
httpOnlycookies for production deployments - Clear tokens on logout
- Gemini API calls should go through your backend (already implemented)
- Never expose API keys in client-side code
- Implement rate limiting on API endpoints
- Validate file types and sizes
- Sanitize file names
- Use virus scanning for user-uploaded content in production
- React provides XSS protection by default
- Be cautious with
dangerouslySetInnerHTML - Sanitize user input before rendering
- Validate and escape data from external sources
- Admin routes are protected with JWT authentication
- Filter Lab and MPG Playground require admin privileges
- Verify
isAdminclaim server-side for sensitive operations
We use automated tools to monitor dependencies:
- Dependabot: Automatic security updates
- npm audit: Regular vulnerability scanning
- GitHub Security Advisories: Monitoring for known issues
Run security checks:
# Check for vulnerabilities
npm audit
# Fix vulnerabilities automatically
npm audit fix
# Check for outdated packages
npm outdated- Security vulnerability reported or discovered
- Vulnerability assessed and severity determined
- Fix developed and tested
- Security advisory published
- Fix released with patch version bump
- Users notified via GitHub Security Advisories
For security concerns, contact:
- Email: [Your security email]
- GitHub: @AIEraDev
We recognize security researchers who responsibly disclose vulnerabilities:
No vulnerabilities reported yet
Thank you for helping keep Clypra Studio and its users safe!