This document outlines the security standards, vulnerability reporting process, and safe coding practices for the HackBoard repository.
If you identify a security vulnerability within HackBoard, do not open a public issue. Report it privately to allow us to address it before public disclosure.
- Contact Email: security@demondie.dev
- Response SLA:
- Acknowledgment: Within 72 hours of submission.
- Patch Target: Critical vulnerabilities will be patched within 14 days of verification.
- Detailed steps to reproduce the issue.
- Impact analysis (what data or access could be compromised).
- Proof-of-concept code or payloads, if applicable.
- Suggested remediation, if known.
All contributions must adhere to the following security principles:
- Validate all user-supplied inputs on both the client and server.
- Use Zod schemas in tRPC procedures to ensure type safety and run-time validation of all payloads.
- TypeScript strict mode must remain enabled with zero
anyusage.
- All database queries must run through the Prisma ORM.
- Avoid raw SQL queries (
$queryRaw) with unescaped string interpolation. If raw queries are necessary, use parameterized inputs via SQL template literals.
- All mutating endpoints (create, update, delete) must be protected using tRPC
protectedProcedure. - Verify resource ownership (e.g., verifying
session.user.idmatches the database record'sorganizerIdorcreatedById) before executing updates or deletions. - Access to admin, organizer, and judge roles must be validated server-side using middleware checks.
- Do not bypass React's default escaping behavior (e.g., avoid
dangerouslySetInnerHTML) unless user input is thoroughly sanitized using a library like DOMPurify on the server. - Ensure all uploaded files are validated by MIME-type and size. Serve uploads via secure content headers (e.g.,
Content-Security-Policy,X-Content-Type-Options: nosniff).
- Use NextAuth.js configured with HTTP-only, secure, same-site cookies for session tokens.
- Keep
X-Frame-Optionsheader set toDENYorSAMEORIGINto prevent clickjacking.
- Never commit credentials, API keys, private keys, or certificates to the repository.
- Use environment variables (
.env.local) for all local secrets. - Prefix environment variables meant for client execution with
NEXT_PUBLIC_only when absolutely necessary (do not expose private service credentials).
- Ensure dependencies are kept up-to-date.
- Dependencies will be audited continuously via automated security scans on GitHub.