We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | β |
| 0.x.x | β |
We take security seriously. If you discover a security vulnerability in Finarva API, please follow these steps:
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please:
- Email us privately: Send details to
security@finarva.com - Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if available)
- Vulnerability Type: (e.g., SQL Injection, XSS, Authentication Bypass)
- Affected Components: Which parts of the system are affected
- Attack Vector: How the vulnerability can be exploited
- Impact Assessment: What data or functionality could be compromised
- Proof of Concept: Code or steps to demonstrate the issue
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Target: Within 30 days (depending on severity)
Our application implements the following security measures:
- JWT-based authentication with refresh tokens
- Role-based access control (RBAC)
- Password hashing using bcrypt
- Session management and timeout
- Rate limiting on all endpoints
- Input validation and sanitization
- CORS configuration
- Helmet.js for security headers
- Request size limiting
- Environment variable encryption
- Sensitive data redaction in logs
- Database connection encryption
- API key rotation policies
- Docker containerization
- Secure CI/CD pipeline
- Dependency vulnerability scanning
- Regular security audits
We appreciate security researchers who:
- Report vulnerabilities responsibly
- Allow reasonable time for fixes
- Don't access or modify user data
- Don't perform DoS attacks
In Scope:
- Authentication and authorization flaws
- Data injection vulnerabilities
- Cross-site scripting (XSS)
- Business logic vulnerabilities
- API endpoint security issues
Out of Scope:
- Social engineering attacks
- Physical security issues
- Third-party service vulnerabilities
- Rate limiting bypasses (unless critical)
- Security Email: security@finarva.com
- General Contact: support@finarva.com
- Response Time: 24-48 hours
Thank you for helping keep Finarva and our users safe! π