Security Policy¶
Do not use public GitHub issues for vulnerabilities
Email qniranjan.dev@gmail.com with subject AuthEngine Security Report.
See reporting steps below.
For architecture hardening and token design, see Security Overview.
Canonical copy on GitHub: SECURITY.md
Supported versions¶
| Version | Supported |
|---|---|
main (latest) |
Yes |
| Older release tags | Best effort — upgrade to latest |
Production operators: Deployment
Reporting a vulnerability¶
- Email: qniranjan.dev@gmail.com
Subject:AuthEngine Security Report - Include:
- Description of the vulnerability
- Steps to reproduce
- Affected component (
auth-engine,auth-engine-dashboard, orauth-engine-infra) - Impact assessment (if known)
- GitHub username (optional, for credit)
You should receive an acknowledgement within 72 hours.
When a fix is ready, we will publish a patched release or document upgrade steps and credit reporters who wish to be named.
Scope¶
In scope
- Authentication bypass, session fixation, privilege escalation
- OIDC/OAuth misconfiguration or token validation flaws
- SQL injection, IDOR, multi-tenant isolation breaks
- Secrets exposure in repository or default configuration
- Infrastructure misconfigurations documented in this project
Out of scope (use regular issues)
- Denial of service without a proven exploit chain
- Social engineering
- Third-party services (AWS, Atlas, Upstash, SendGrid, etc.)
- Upstream dependency CVEs already fixed — open a PR or Dependabot fix instead
Safe deployment reminders¶
- Strong
SECRET_KEYandJWT_SECRET_KEY(32+ random bytes) - Restrict EC2 security groups and RDS to the API host
/opt/authengine/.envpermissions600- MFA for super-admin and platform operators
- Rotate credentials if ever committed or shared
Details: Security Overview
Language¶
English is preferred for security reports.