| Version | Supported |
|---|---|
| 1.x | Yes |
If you discover a security vulnerability in WorkHub, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email us at info@sikasio.com with:
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested fixes (optional)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix and disclosure: Coordinated with the reporter
The following are in scope:
- Authentication and authorization bypasses
- Data exposure or leakage
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Server-side request forgery (SSRF)
- SQL/NoSQL injection
- Firebase security rule bypasses
The following are out of scope:
- Vulnerabilities in third-party dependencies (report these upstream)
- Issues requiring physical access to a user's device
- Social engineering attacks
- Denial of service attacks
When deploying WorkHub, ensure:
- Firebase Security Rules are deployed (
npm run firebase:deploy:rules) - Environment variables are kept secret and never committed to version control
- Firebase Authentication is properly configured with appropriate sign-in methods
- Storage rules are deployed to enforce file size and access limits
- Service account keys are stored securely and rotated regularly
Thank you for helping keep WorkHub and its users safe.