We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
The security of this project is taken seriously. If you discover a security vulnerability, please follow these steps:
Please do not create a public GitHub issue for security vulnerabilities. This could put users at risk.
Send a detailed report to:
Email: satyasubudhi089@gmail.com
Subject: [SECURITY] Brief description of the vulnerability
To help us assess and fix the vulnerability quickly, please include:
- Type of vulnerability (e.g., XSS, CSRF, injection, etc.)
- Full path of the affected file(s)
- Step-by-step instructions to reproduce the issue
- Proof of concept or exploit code (if possible)
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Your contact information for follow-up questions
**Vulnerability Type:** Cross-Site Scripting (XSS)
**Affected File(s):**
- src/components/ContactForm.tsx
**Description:**
A detailed description of the vulnerability...
**Steps to Reproduce:**
1. Navigate to the contact form
2. Enter the following in the message field: `<script>alert('XSS')</script>`
3. Submit the form
4. The script executes
**Impact:**
This could allow attackers to...
**Suggested Fix:**
Sanitize user input using DOMPurify or similar...
**Additional Context:**
Any other relevant information...We take security reports seriously and will respond according to the following timeline:
| Step | Timeline |
|---|---|
| Initial Response | Within 48 hours |
| Vulnerability Assessment | Within 5 business days |
| Fix Development | Depends on severity |
| Patch Release | As soon as possible |
| Public Disclosure | After fix is deployed |
- Critical - Fix within 24-48 hours
- High - Fix within 1 week
- Medium - Fix within 2 weeks
- Low - Fix in next release
After you submit a report:
- ✅ Acknowledgment - We'll confirm receipt of your report
- ✅ Assessment - We'll evaluate the severity and impact
- ✅ Updates - We'll keep you informed of our progress
- ✅ Fix - We'll develop and test a patch
- ✅ Release - We'll deploy the fix and notify users
- ✅ Credit - We'll acknowledge your contribution (if you wish)
-
Keep Dependencies Updated
npm audit npm audit fix npm update
-
Environment Variables
- Never commit
.envfiles - Use environment variables for sensitive data
- Add
.envto.gitignore
- Never commit
-
Input Validation
- Validate and sanitize all user inputs
- Use proper form validation
- Implement CSRF protection if handling forms
-
Content Security Policy
- Implement CSP headers
- Restrict script sources
- Use nonce or hash-based CSP
-
HTTPS Only
- Always deploy with HTTPS
- Use HSTS headers
- Redirect HTTP to HTTPS
-
Regular Audits
- Run
npm auditregularly - Review dependencies periodically
- Keep Node.js and npm updated
- Run
- All dependencies are up to date
- No sensitive data in environment variables
- HTTPS is enabled
- Content Security Policy is configured
- Input validation is implemented
- Error messages don't leak sensitive info
- Authentication tokens are stored securely
- CORS is properly configured
- Rate limiting is in place (if applicable)
This is a static portfolio website that runs entirely in the browser:
- ✅ No server-side code
- ✅ No database connections
- ✅ No user authentication
- ✅ No sensitive data storage
We use the following major dependencies:
- React - UI framework
- Vite - Build tool
- Tailwind CSS - Styling
- Framer Motion - Animations
These are regularly updated to their latest secure versions.
If you implement a contact form backend:
- Validate all inputs
- Implement rate limiting
- Use CAPTCHA to prevent spam
- Sanitize data before processing
- Use secure email services
Security patches will be:
- Released as soon as possible
- Announced in release notes
- Tagged with
securitylabel - Documented in CHANGELOG
Currently, we do not offer a bug bounty program. However, we deeply appreciate security researchers who responsibly disclose vulnerabilities.
Contributors who report valid security vulnerabilities will be:
- Acknowledged in release notes (if desired)
- Listed in SECURITY.md (with permission)
- Thanked publicly on social media (if agreed)
- npm audit - Check for vulnerabilities
- Snyk - Continuous security monitoring
- OWASP - Web security best practices
For security concerns, contact:
Satya Subudhi
📧 Email: satyasubudhi089@gmail.com
🐙 GitHub: @satya00089
Thank you for helping keep this project secure! 🔒