| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take the security of Zenvira seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please send an email to security@abnahid.com with the following information:
- Type of vulnerability (e.g., SQL injection, XSS, authentication bypass)
- Location of the vulnerability (file path, URL, or component)
- Step-by-step instructions to reproduce the issue
- Proof of concept or exploit code (if available)
- Impact assessment of the vulnerability
- Suggested fix (if you have one)
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Assessment: We will assess the vulnerability and determine its impact
- Updates: We will keep you informed of our progress
- Resolution: We aim to resolve critical vulnerabilities within 7 days
- Credit: We will credit you in our security acknowledgments (unless you prefer to remain anonymous)
The following are in scope:
- Zenvira client application (zenvira-client)
- Zenvira server API (server)
- Authentication and authorization systems
- Data handling and storage
- API endpoints
- Vulnerabilities in third-party dependencies (report these to the respective maintainers)
- Social engineering attacks
- Physical security issues
- Denial of service attacks
When contributing to Zenvira, please follow these security practices:
- Never commit secrets - Use environment variables for API keys, passwords, etc.
- Validate all inputs - Sanitize user input on both client and server
- Use parameterized queries - Prevent SQL injection with Prisma's query builder
- Implement proper authentication - Use Better Auth's built-in security features
- Keep dependencies updated - Regularly update npm packages
Zenvira implements the following security measures:
- Password hashing with bcrypt
- Session-based authentication with secure cookies
- Role-based access control (customer, seller, admin)
- Email verification for new accounts
- CORS protection with configurable origins
- Input validation on all API endpoints
Thank you for helping keep Zenvira and our users safe!