Skip to content

Security: persist-os/backend

Security

SECURITY.md

Security Policy

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly:

  1. Do NOT open a public GitHub issue
  2. Email security concerns to the maintainers privately
  3. Include detailed steps to reproduce the vulnerability
  4. Allow up to 48 hours for initial response

Supported Versions

Version Supported
latest

Security Best Practices for Contributors

This project requires sensitive credentials to run:

  • API keys (Stripe, OpenAI, Anthropic, etc.)
  • OAuth credentials (Google, Instagram)
  • Firebase Admin SDK credentials
  • Database connection URLs

NEVER commit credentials to git. Use environment variables only.

Local Development

  1. Copy .env.example to .env
  2. Fill in your own credentials
  3. Never share or commit your .env file

Required Environment Variables

See .env.example for the complete list of required configuration.

Dependency Security

  • We use Dependabot for automated security updates
  • All PRs are scanned for secrets before merge
  • Dependencies are audited regularly

There aren't any published security advisories