| Version | Supported |
|---|---|
| 1.x | ✅ |
If you discover a security vulnerability, please report it responsibly:
- Do not open a public GitHub issue
- Email the maintainer directly or use GitHub Security Advisories
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You can expect an initial response within 72 hours.
This project implements several security controls:
All outbound HTTP requests go through HttpUtils which validates URL schemes (HTTPS only) and checks hosts against a trusted allowlist. Pagination links from external APIs (e.g., Microsoft Graph @odata.nextLink) are also validated to prevent open-redirect SSRF attacks.
Sensitive data (tokens, passwords) are stored using flutter_secure_storage, which uses:
- iOS: Keychain Services
- Android: EncryptedSharedPreferences (AES-256)
Credentials are never stored in plaintext, SharedPreferences, or logged.
Internal errors (stack traces, database errors, API responses) are caught and logged locally but never exposed to end users. Generic error messages prevent information leakage.
- Event fields are validated before persistence
- Authentication inputs are validated client-side before Firebase calls
- API responses are parsed with null-safety checks
- Dependabot is enabled for automated dependency updates
- CodeQL runs weekly for static analysis
- CI runs on every PR to catch regressions