Skip to content

Security: Sehastrajit/Learnora

Security

SECURITY.md

Security Policy

Supported Versions

Only the latest version on the main branch receives security fixes.

Branch Supported
main Yes
older tags No

Reporting a Vulnerability

Do not open a public GitHub issue for security vulnerabilities.

Please report security issues by emailing the maintainer directly. Include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact
  • Any suggested fix (optional but appreciated)

You can expect an acknowledgement within 48 hours and a resolution or mitigation plan within 14 days. We will credit reporters in the release notes unless you prefer to remain anonymous.

Scope

The following are in scope:

  • Authentication and authorisation bypass
  • SQL injection or ORM query manipulation
  • Sensitive data exposure (tokens, passwords, PII)
  • Cross-site scripting (XSS) in rendered content
  • Server-side request forgery (SSRF)
  • Insecure file upload handling

The following are out of scope:

  • Denial-of-service attacks requiring large volumes of requests
  • Issues in third-party dependencies that have already been publicly disclosed (open an issue linking the CVE instead)
  • Rate limiting gaps on non-sensitive endpoints

Hardening Notes for Self-Hosters

  • Set a strong SECRET_KEY (at minimum 32 random bytes)
  • Never expose the backend port (8000) directly to the public internet — proxy through nginx or a similar reverse proxy
  • Restrict UPLOAD_DIR permissions to the application user only
  • Use HTTPS in production; set SECURE_COOKIES=true if you add cookie-based auth
  • Rotate GROQ_API_KEY and database credentials regularly

There aren't any published security advisories