Please don't open a public issue for security-sensitive reports.
Use one of:
- GitHub private security advisory (preferred) — report it here. This creates a private thread only maintainers and people you add can see.
- Email —
salah.awad@outlook.comwith subject[TestSuits security].
Please include:
- A description of the issue and the impact.
- Clear reproduction steps (curl / screenshots / a short script).
- Affected version or commit SHA.
- Your contact info so we can follow up.
You can expect an acknowledgement within 3 working days and a first assessment within 10 working days. We'll coordinate a disclosure timeline once we understand the scope.
TestSuits is pre-1.0 and ships only from main. Security fixes land on main; there are no backports. If you're running an older commit, pull the latest and redeploy.
The following are in scope for reports:
- Cross-tenant data leaks (a user of company A reading or mutating data of company B).
- Authentication / session bypasses (JWT handling, API tokens, invite / reset tokens).
- Privilege escalation (
TESTERdoing what onlyMANAGERshould be able to do). - Server-side injection (SQL, command, SSRF).
- Sensitive data in logs (passwords, tokens, full Jira credentials).
- Insecure handling of attachments (path traversal, arbitrary content served with an exploitable mime type).
- Jira integration misuse (filing issues into the wrong Jira project because of injection or scope bypass).
- Issues that require an already-compromised host or a malicious collaborator inside the same company.
- Rate limiting / brute force on local dev. Deployed instances should sit behind a reverse proxy that handles this.
- Known behaviour documented in the README (e.g. signed download URLs served by
S3_PUBLIC_ENDPOINT, dev-mode reset-link echo). - Missing security headers that are the deployment's responsibility.
.envis gitignored. Never commit a populated.envor any file matchingseed.*.local.ts.- If you believe credentials have been leaked in this repo's history, report it through the channels above and we'll rotate.