If you discover a security vulnerability in this project, please report it responsibly.

Please do not report security vulnerabilities through public GitHub issues.

Instead:

1. GitHub Private Vulnerability Reporting: Use GitHub's private vulnerability reporting feature on this repository
2. Email: If private reporting is not available, contact the maintainer directly

• Description of the vulnerability
• Steps to reproduce
• Affected components (Lambda functions, CDK stack, etc.)
• Potential impact
• Any suggested fixes (optional)

• Acknowledgment within 48 hours
• Regular updates on progress
• Credit in the fix (unless you prefer anonymity)

This project handles authentication tokens and session data. Key security areas:

• Lambda Authorizer (lambda/authorizer.py): JWT validation and session verification
• Session Storage (DynamoDB): Server-side token storage
• Auth Callback (lambda/auth_callback.py): OAuth2 token exchange

See the README for recommended production hardening measures.

This security policy covers:

• The CDK infrastructure code
• Lambda function code
• Authentication and session handling logic

Out of scope:

• AWS service vulnerabilities (report to AWS)
• Dependencies (report to respective maintainers)