OasisBio is committed to ensuring the security of our users' identity data. This document outlines our security practices and how to report vulnerabilities.
| Version | Supported |
|---|---|
| 1.x | ✅ |
We recommend always using the latest stable release.
If you discover a security vulnerability, please report it responsibly:
Do NOT create a public GitHub issue for security vulnerabilities.
Instead, please send details to security@oasiscompany.org with:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct link)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact assessment of the vulnerability
We aim to acknowledge vulnerability reports within 48 hours and provide a timeline for remediation:
- Critical: Response within 24 hours, fix within 7 days
- High: Response within 48 hours, fix within 14 days
- Medium: Response within 72 hours, fix within 30 days
- Low: Response within 1 week, fix within 90 days
- All authentication uses Supabase Auth with secure session management
- OAuth 2.0 implementation follows RFC 6749 with PKCE (RFC 7636)
- Access tokens are JWTs signed with HS256
- Refresh token rotation is enabled by default
- All database connections use SSL/TLS
- Sensitive data is encrypted at rest
- Row Level Security (RLS) is enforced on all database tables
- API endpoints validate ownership before returning data
The following scopes are available for third-party applications:
| Scope | Access Level |
|---|---|
profile |
Basic profile information (username, display name, avatar) |
email |
Email address |
oasisbios:read |
View character list |
oasisbios:full |
Full character details |
dcos:read |
Read DCOS documents |
context:read |
Read structured identity context |
- Public endpoints: 100 requests per minute per IP
- Authenticated endpoints: 1000 requests per minute per user
- OAuth endpoints: 20 requests per minute per client
Security updates will be released as patch versions (e.g., 1.0.x) and announced through:
- GitHub Security Advisories
- Release notes
- Email notifications (for users who have opted in)
We regularly update dependencies to patch known vulnerabilities:
# Check for vulnerable dependencies
pnpm audit
# Update dependencies
pnpm updateWhen contributing to OasisBio:
- Never commit secrets — Use environment variables only
- Validate all input — Sanitize and validate before database queries
- Use parameterized queries — Prisma ORM prevents SQL injection by default
- Implement proper error handling — Don't expose stack traces in production
- Follow least privilege — Request only necessary permissions
- Deployment on Vercel with automatic DDoS protection
- Environment variables encrypted at rest
- Database credentials rotated regularly
- Audit logs for administrative actions
- Automated backups with point-in-time recovery
For security concerns not suitable for email, please request our security contact through GitHub's Private vulnerability reporting feature.
Last updated: 2024