We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 0.1.x | β |
| < 0.1 | β |
We take the security of SmartWatt Frontend seriously. If you've discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly.
- Open a public GitHub issue
- Discuss the vulnerability publicly
- Exploit the vulnerability
Report security vulnerabilities privately via one of these methods:
-
GitHub Security Advisories (Preferred)
- Go to the Security tab
- Click "Report a vulnerability"
- Fill in the details
-
Email
- Send details to: [Insert Security Email]
- Subject line:
[SECURITY] Brief description - Include as much detail as possible
Please provide:
- Type of vulnerability (e.g., XSS, CSRF, authentication bypass)
- Full paths of affected files/components
- Location of the vulnerable code (tag/branch/commit or URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept (screenshots, video, or code)
- Impact of the vulnerability
- Suggested fix (if you have one)
**Vulnerability Type**: Cross-Site Scripting (XSS)
**Affected Component**: Appliance name input field
**Severity**: High
**Description**:
The appliance name field does not sanitize user input, allowing
injection of malicious scripts.
**Steps to Reproduce**:
1. Navigate to Add Appliance form
2. Enter: <script>alert('XSS')</script> in name field
3. Submit form
4. Script executes on page load
**Impact**:
Attacker could steal user session data or manipulate the UI
**Suggested Fix**:
Sanitize all user inputs before rendering in the DOM| Stage | Timeline |
|---|---|
| Initial Response | Within 48 hours |
| Vulnerability Assessment | Within 7 days |
| Fix Development | Depends on severity |
| Patch Release | ASAP after fix verification |
| Public Disclosure | After patch is widely deployed |
| Level | Response Time | Examples |
|---|---|---|
| Critical | < 24 hours | RCE, Authentication bypass, Sensitive data exposure |
| High | < 7 days | XSS, CSRF, Injection vulnerabilities |
| Medium | < 30 days | Information disclosure, Insecure defaults |
| Low | < 90 days | Minor issues, Best practice violations |
- Keep Updated: Always use the latest deployed version
- HTTPS Only: Ensure you're accessing the site via HTTPS
- Secure Connections: Don't use public Wi-Fi for sensitive operations
- Browser Security: Keep your browser updated
- Privacy: Don't share your session or personal data
- Input Validation: Always validate and sanitize user inputs
- XSS Prevention: Use React's built-in XSS protection (never use
dangerouslySetInnerHTMLwithout sanitization) - API Security: Never expose API keys or secrets in the frontend
- HTTPS: Use HTTPS for all API calls
- Dependencies: Keep dependencies updated (
npm audit) - Sensitive Data: Don't log sensitive information
- Error Messages: Don't expose stack traces in production
SmartWatt Frontend includes these security measures:
- β Input Sanitization: All user inputs are validated
- β XSS Protection: React's built-in protection against XSS
- β HTTPS Enforcement: All API calls use HTTPS
- β CSP Headers: Content Security Policy configured
- β No Inline Scripts: All scripts loaded from trusted sources
- β Secure Headers: Security headers configured in Next.js
- β Environment Variables: Sensitive data in env vars, not code
Next.js automatically sets many security headers. Ensure these are enabled in production:
// next.config.ts
const securityHeaders = [
{
key: 'X-DNS-Prefetch-Control',
value: 'on'
},
{
key: 'Strict-Transport-Security',
value: 'max-age=63072000; includeSubDomains; preload'
},
{
key: 'X-Frame-Options',
value: 'SAMEORIGIN'
},
{
key: 'X-Content-Type-Options',
value: 'nosniff'
},
{
key: 'X-XSS-Protection',
value: '1; mode=block'
},
{
key: 'Referrer-Policy',
value: 'strict-origin-when-cross-origin'
}
];- All frontend data is visible to users
- Never store sensitive information in client state
- Use backend validation for all critical operations
NEXT_PUBLIC_*variables are exposed to the browser- Only use them for public APIs
- Backend handles sensitive operations
- Regularly audit dependencies:
npm audit - Update packages with known vulnerabilities
- Review new dependencies before adding
- All user inputs are potential attack vectors
- Validate on both frontend and backend
- Sanitize before rendering or storing
We use the following third-party services with security considerations:
| Service | Purpose | Security Notes |
|---|---|---|
| Vercel | Hosting | HTTPS enforced, DDoS protection |
| Supabase | Database (Optional) | Row Level Security enabled |
| Axios | HTTP Client | Request/response interceptors for auth |
| Recharts | Charts | No external data fetching |
| Plotly | Charts | Sandboxed rendering |
Upon receiving a security report:
- Day 0: Report received and acknowledged
- Day 1-7: Vulnerability verified and assessed
- Day 7-30: Patch developed and tested
- Day 30: Patch released to production
- Day 30+: Public disclosure (after patch deployment)
Subscribe to security advisories:
- GitHub Watch: Enable security alerts for this repo
- RSS Feed: Security Advisories Feed
- Release Notes: Check our releases for security patches
We appreciate security researchers who responsibly disclose vulnerabilities. Contributors will be:
- Credited in release notes (unless anonymity requested)
- Listed in our SECURITY_HALL_OF_FAME.md
- Eligible for acknowledgment in our documentation
For general security questions (not vulnerabilities):
- Open a Discussion
- Tag with
securitylabel
Thank you for helping keep SmartWatt secure! ππ‘οΈ