This project is actively maintained. Security updates are provided for the current production version.
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
- Firebase Authentication with role-based access control
- Granular permission system (view/create/edit levels per module)
- User archiving to disable access while preserving data
- Hotel staff scoped to specific properties
- Real-time permission updates via Firestore listeners
- Firestore Security Rules enforce all access controls at database level
- Encrypted data transmission (HTTPS/TLS)
- No client-side permission bypasses possible
- Archived users completely blocked from all access
- Hotel staff can only access their assigned hotel data
All data access is protected by comprehensive Firestore Security Rules that:
- Require authentication for all operations
- Block archived users (
archived != true) - Enforce module-based permissions (diveLog, maintenance, contracts)
- Validate permission levels (view < create < edit)
- Scope hotel staff to their assigned
hotelId - Prevent unauthorized data modification
See firestore.rules for complete security rule implementation.
If you discover a security vulnerability in this application, please report it responsibly:
- Email: [security@seasaba.com]
- Response Time: We aim to acknowledge reports within 48 hours
- Updates: You will receive updates on the status of your report weekly
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if available)
- Acknowledgment: Within 48 hours of report
- Initial Assessment: Within 1 week
- Fix Timeline: Critical issues within 2 weeks, others within 30 days
- Disclosure: We will coordinate disclosure timing with you
- Credit: Security researchers will be credited (unless they prefer anonymity)
- Vulnerabilities in third-party dependencies (report to the dependency maintainers)
- Social engineering attacks
- Physical security issues
- Denial of service attacks
- Use strong, unique passwords for all accounts
- Enable two-factor authentication when available
- Regularly review user permissions and access logs
- Archive users immediately upon termination
- Keep Firebase SDK and dependencies up to date
- Monitor Firebase console for security rule violations
- Never commit API keys or secrets to version control
- Use environment variables for all sensitive configuration
- Follow principle of least privilege for all operations
- Validate all user input on both client and server
- Keep dependencies updated and monitor for vulnerabilities
- Test security rules thoroughly before deployment
- Use TypeScript for type safety and reduced bugs
- Use strong, unique passwords
- Do not share login credentials
- Report suspicious activity immediately
- Log out when using shared devices
- Keep your contact information up to date
This application handles business operational data and implements:
- Role-based access control (RBAC)
- Audit trails via Firestore timestamps and
createdByfields - Data retention policies (archived users, not deleted)
- Secure data transmission (HTTPS only)
Security updates are deployed as follows:
- Critical vulnerabilities: Immediate hotfix deployment
- High severity: Within 1 week
- Medium severity: Within 30 days
- Low severity: Next scheduled release
Users will be notified of security updates via:
- In-app notifications
- Email to administrators
- Release notes in repository
Last Updated: March 2026
Next Review: Quarterly