We release security updates for the following versions:

We take security vulnerabilities seriously. If you discover a security issue in Sunrise, please report it responsibly.

Please DO NOT open a public GitHub issue for security vulnerabilities.

Instead, report security issues privately:

1. GitHub Security Advisories (preferred):
   • Go to the Security tab
   • Click "Report a vulnerability"
   • Provide detailed information about the vulnerability

Please provide as much information as possible:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Suggested fix (if you have one)
• Your contact information for follow-up

• Initial response: Within 48 hours
• Status update: Within 7 days
• Fix timeline: Varies by severity (critical issues prioritized)

When deploying Sunrise in production:

1. Environment Variables:

   • Never commit .env.local or .env.production to version control
   • Use strong, randomly-generated secrets for BETTER_AUTH_SECRET
   • Rotate secrets regularly

2. Database:

   • Use strong database passwords
   • Restrict database access to application servers only
   • Enable SSL/TLS for database connections in production

3. Dependencies:

   • Dependabot opens weekly update PRs automatically; enable "Dependabot security updates" in repo settings for vulnerability-driven PRs
   • CodeQL, dependency review, and secret scanning run in CI (see .github/workflows/)
   • Run npm audit locally for ad-hoc checks

4. Rate Limiting:

   • Configure appropriate rate limits for your use case (see lib/security/rate-limit.ts)
   • Use Redis for distributed rate limiting in production

5. Headers & CORS:

   • Review security headers in proxy.ts (Next.js 16's renamed middleware)
   • Configure CORS appropriately for your domain

6. Monitoring:

   • Enable error tracking (Sentry is pre-configured)
   • Monitor authentication logs for suspicious activity
   • Set up alerts for unusual patterns

Sunrise includes these security features out of the box:

• Rate limiting on authentication endpoints
• CSRF protection via better-auth
• Secure password hashing (bcrypt via better-auth)
• Input validation with Zod
• Security headers (CSP, HSTS, X-Frame-Options, etc.)
• SQL injection protection via Prisma
• XSS protection via React and input sanitization
• Supply-chain scanning in CI: automated dependency updates (Dependabot), PR vulnerability gating (dependency review), static analysis (CodeQL), and secret scanning (TruffleHog)

We appreciate security researchers who responsibly disclose vulnerabilities. With your permission, we'll acknowledge your contribution in our release notes.