| Version | Supported |
|---|---|
| 0.8.x | Active |
| 0.7.x | Security fixes only |
| 0.6.x | No longer supported |
| < 0.6 | No longer supported |
Do NOT file a public GitHub issue for security vulnerabilities.
- Go to the Security tab
- Click "Report a vulnerability"
- Include:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Suggested fix (if any)
| Stage | Target time |
|---|---|
| Acknowledgment | 48 hours |
| Initial assessment | 5 business days |
| Fix development | 14 business days (critical), 30 days (high) |
| Advisory published | After fix is released |
- SQL injection via unsanitized Drift query inputs
- Path traversal in file read/write operations (PDF, image)
- Insecure local storage of sensitive shop or payment data
- Void/refund bypass — circumventing atomic void flow to manipulate stock or revenue
- Inventory log tampering — modifying audit trail records outside application flow
- Dependency vulnerabilities in third-party packages
- UI bugs or UX issues
- Missing features
- Configuration errors by the user
- Device-level security (screen lock, etc.) — outside app scope
Promsell is an offline-first local app with no network access by default:
- Local-only storage — all data stays on device via SQLite
- No server communication — no API keys, no remote calls in core flow
- App settings table (Drift-backed) — stores non-sensitive settings (locale, theme, shop name, VAT mode, stock policy); also stores receipt sequence counter and device prefix
- Atomic transactions — sale creation, void, and stock adjustments run inside Drift DB transactions to prevent partial writes
- Inventory audit trail — all stock changes (SALE, VOID_REVERSAL, ADJUSTMENT_IN/OUT) are logged immutably in
inventory_logstable - Backup encryption v2 (v0.7.5+) — AES-256-GCM with PIN-derived PBKDF2-HMAC-SHA256 at 100,000 iterations (RFC 2898). v1 format (weak ~3 HMAC rounds) still decrypts for backward compatibility but new backups use v2. Toggle in Settings → Backup
- Image format validation (v0.7.5+) —
ProductImageService._isValidImage()rejects non-image files (.jpg,.jpeg,.png,.webp,.gif,.bmp,.heiconly); prevents malicious file upload via picker - Image cache eviction (v0.7.5+) —
ImageCacheServiceenforces 50MB LRU limit on/images/directory; prevents disk space exhaustion from uncompressed product photos - PDF generation — local only, no upload
- Orphaned image cleanup (v0.8.0+) —
AddProductPagetracks temp image paths and deletes orphaned files on dispose/discard;ClearOrphanedImagesusecase removes unused images from/images/directory. Prevents disk space exhaustion from abandoned temp files - Dependency hygiene — keep
flutter pub upgradecurrent; runflutter pub audit
For the full fix history, see CHANGELOG.md.