We actively support the following versions of EVID-DGC with security updates:
| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.x.x | ❌ |
| < 1.0 | ❌ |
Please report security vulnerabilities to DGC2MHNE@proton.me.
DO NOT create public GitHub issues for security vulnerabilities.
When reporting a security issue, please include:
- Description: Clear description of the vulnerability
- Impact: Potential impact and severity assessment
- Reproduction: Step-by-step instructions to reproduce
- Environment: System details (OS, browser, Node.js version)
- Evidence: Screenshots, logs, or proof-of-concept code
- Suggested Fix: If you have ideas for remediation
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 5 business days
- Status Updates: Weekly until resolution
- Fix Timeline: Critical issues within 7 days, others within 30 days
This security policy applies to:
- Main Application: All code in this repository
- Backend API: Express.js server and endpoints
- Database: Supabase integration and queries
- Authentication: MetaMask and email authentication
- File Upload: Evidence upload and processing
- Blockchain Integration: Smart contract interactions
- Dependencies: Third-party packages and libraries
- Third-party Services: Supabase, Render, GitHub infrastructure
- Browser Extensions: MetaMask wallet extension
- Network Infrastructure: DNS, CDN, hosting providers
- Social Engineering: Phishing, pretexting attacks
- Physical Security: Device access, hardware tampering
- Row Level Security (RLS): Database access control
- Rate Limiting: API endpoint protection
- Input Validation: Server-side data sanitization
- CORS Protection: Cross-origin request filtering
- Secure Headers: Helmet.js security headers
- Password Hashing: bcrypt for password storage
- JWT Tokens: Secure session management
- File Type Validation: Upload restrictions
- SQL Injection Prevention: Parameterized queries
- XSS Protection: Content Security Policy
- Remote Code Execution (RCE)
- SQL Injection leading to data breach
- Authentication bypass
- Privilege escalation to admin
- Mass data exposure
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Insecure Direct Object References
- Sensitive data exposure
- Broken access controls
- Information disclosure
- Denial of Service (DoS)
- Weak cryptography
- Insecure configurations
- Missing security headers
- Information leakage
- Weak password policies
- Missing rate limiting
- Verbose error messages
- Report First: Contact us before public disclosure
- Allow Time: Give us reasonable time to fix issues
- No Harm: Don't access, modify, or delete data
- Stay Legal: Comply with applicable laws
- Be Professional: Maintain confidentiality
- No Legal Action: Against good-faith security research
- Credit: Public acknowledgment (if desired)
- Communication: Regular updates on fix progress
- Collaboration: Work together on remediation
- Strong Passwords: Use complex, unique passwords
- Two-Factor Authentication: Enable when available
- Keep Updated: Use latest browser and MetaMask versions
- Secure Environment: Use trusted networks and devices
- Verify URLs: Always check you're on the correct domain
- Code Review: All changes require peer review
- Dependency Updates: Regular security updates
- Static Analysis: Automated security scanning
- Penetration Testing: Regular security assessments
- Security Training: Ongoing education for team
- Detection: Vulnerability reported or discovered
- Assessment: Severity and impact evaluation
- Containment: Immediate risk mitigation
- Investigation: Root cause analysis
- Remediation: Develop and test fix
- Deployment: Release security update
- Communication: Notify affected users
- Post-Mortem: Learn and improve processes
- Security Advisories: Published on GitHub
- User Notifications: Email alerts for critical issues
- Status Page: Real-time incident updates
- Release Notes: Security fixes documented
- OWASP Top 10: Web application security risks
- NIST Cybersecurity Framework: Security controls
- ISO 27001: Information security management
- GDPR: Data protection and privacy
- SOC 2: Security and availability controls
- Regular security audits and assessments
- Compliance with legal evidence handling requirements
- Blockchain security best practices
- Cryptographic standards (AES-256, SHA-256)
- Email: DGC2MHNE@proton.me
- Response Time: 48 hours maximum
- Encryption: PGP key available upon request
- Languages: English
For critical security issues requiring immediate attention:
- Priority: Mark email subject with "[CRITICAL SECURITY]"
- Response: Within 24 hours
- Escalation: Direct contact with development team
We thank the following security researchers who have helped improve EVID-DGC:
No security issues have been reported yet.
Security researchers who report valid vulnerabilities will be acknowledged here (with permission).
We support safe harbor for security researchers who:
- Make good faith efforts to avoid privacy violations
- Don't access or modify user data without permission
- Report vulnerabilities promptly and responsibly
- Don't perform attacks that could harm users
This policy only covers the EVID-DGC application. Issues with third-party services should be reported to their respective security teams.
Last Updated: January 2026
Version: 1.0
Next Review: July 2026