We take the security of CodeScrolls seriously. If you discover a security vulnerability, please help us by reporting it responsibly.

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing:

• Email: security@codescrolls.site
• Subject: [SECURITY] Vulnerability Report - CodeScrolls

You can also report security issues directly to the maintainer:

• Email: praveencdg@gmail.com
• Subject: [SECURITY] CodeScrolls Vulnerability

• Initial Response: Within 24 hours
• Vulnerability Assessment: Within 72 hours
• Fix Development: Within 1-2 weeks for critical issues
• Public Disclosure: After fix is deployed and tested

Please include the following information in your report:

1. Description: Clear description of the vulnerability
2. Impact: Potential impact and severity
3. Steps to Reproduce: Detailed reproduction steps
4. Affected Versions: Which versions are affected
5. Environment: Browser, OS, and other relevant details
6. Proof of Concept: If available (please be careful with this)
7. Suggested Fix: If you have ideas for fixing it

We use the following severity levels:

• Critical: Remote code execution, SQL injection, authentication bypass
• High: XSS, CSRF, data exposure, privilege escalation
• Medium: Information disclosure, DoS attacks
• Low: Minor issues, best practice violations

CodeScrolls implements several security measures:

• Regular dependency updates via Dependabot
• Automated security scanning with npm audit
• Manual review of major dependency updates

• TypeScript for type safety
• ESLint for code quality
• Prettier for consistent formatting
• Automated testing and CI/CD

• Hosted on Vercel with automatic security updates
• HTTPS enabled by default
• Content Security Policy headers
• Regular security audits

• No user data collection without consent
• GDPR and CCPA compliance
• Transparent privacy policy
• Minimal third-party integrations

We kindly ask that you:

• Give us reasonable time to fix the issue before public disclosure
• Avoid accessing or modifying user data
• Don't perform DoS attacks or degrade service performance
• Don't spam our systems with automated vulnerability scanners

We appreciate security researchers who help keep our project safe. With your permission, we'll acknowledge your contribution in our security advisory and add you to our Hall of Fame.

Past security advisories and fixes can be found in our:

• GitHub Security Advisories
• CHANGELOG.md - Security updates section

• Project URL: https://codescrolls.site
• Repository: https://github.com/Praveenskg/codescrolls
• Maintainer: Praveen Singh
• Email: praveencdg@gmail.com

Thank you for helping keep CodeScrolls secure! 🛡️

This security policy is inspired by industry best practices and the OpenSSF Security Policy template.