We are committed to fixing security vulnerabilities in the following versions of this project:

Please do not open a public GitHub issue for security vulnerabilities.

If you discover a security vulnerability within this project, please follow these steps:

1. Private Report: Navigate to the Security tab of this repository.
2. Submit Advisory: Click on "Report a vulnerability" to submit a private report.
3. Details: Include a full Proof of Concept (PoC), including:
   • Detailed steps to reproduce the bug.
   • The potential impact (e.g., Stored XSS, IDOR, etc.).
   • Any suggested fixes or patches.

The following are in scope for vulnerability reports:

• Authentication and authorization flaws (e.g., broken auth, session fixation)
• Cross-Site Scripting (XSS) — stored, reflected, or DOM-based
• Cross-Site Request Forgery (CSRF)
• Injection vulnerabilities (SQL, command, template, etc.)
• Sensitive data exposure (credentials, API keys, PII)
• Insecure Direct Object References (IDOR)
• Security misconfigurations
• Third-party dependency vulnerabilities with a clear impact on this project

The following are out of scope:

• Denial-of-service (DoS/DDoS) attacks
• Attacks requiring physical access to the device
• Social engineering attacks targeting maintainers or users
• Vulnerabilities in third-party services (Firebase, Netlify, etc.) — report these to the relevant vendor
• Issues in unsupported versions (see table above)
• Missing security headers that are already addressed in netlify.toml

• Never commit secrets. API keys, tokens, and credentials must be stored in .env.local (already git-ignored).
• Keep dependencies up-to-date and run npm audit before submitting a pull request.
• Follow the OWASP Top 10 guidelines when adding new features.
• Use parameterised inputs and validate all user-supplied data with Zod schemas.

Description: Firebase API keys and a Web3Forms access key were hardcoded directly in lib/firebase.ts and the contact/projects pages, allowing any unauthenticated user to query Firebase project configuration, create unauthorized accounts, and read all Firestore user documents without authentication.

Fix: All sensitive credentials have been removed from source code and are now read exclusively from environment variables (NEXT_PUBLIC_FIREBASE_* and NEXT_PUBLIC_WEB3FORMS_ACCESS_KEY). A .env.example template is provided; a .env.local file (git-ignored) must be created with the real values before running the application. The application throws a startup error if any required Firebase variable is absent.

We appreciate the efforts of security researchers who responsibly disclose vulnerabilities. Verified reporters will be credited in the release notes unless they prefer to remain anonymous.