Skip to content

Security: Omnikon-Org/HackBoard

Security

SECURITY.md

Code Security Policy

This document outlines the security standards, vulnerability reporting process, and safe coding practices for the HackBoard repository.

Vulnerability Reporting

If you identify a security vulnerability within HackBoard, do not open a public issue. Report it privately to allow us to address it before public disclosure.

  • Contact Email: security@demondie.dev
  • Response SLA:
    • Acknowledgment: Within 72 hours of submission.
    • Patch Target: Critical vulnerabilities will be patched within 14 days of verification.

What to Include in a Report

  • Detailed steps to reproduce the issue.
  • Impact analysis (what data or access could be compromised).
  • Proof-of-concept code or payloads, if applicable.
  • Suggested remediation, if known.

Safe Coding Standards

All contributions must adhere to the following security principles:

1. Input Validation and Type Safety

  • Validate all user-supplied inputs on both the client and server.
  • Use Zod schemas in tRPC procedures to ensure type safety and run-time validation of all payloads.
  • TypeScript strict mode must remain enabled with zero any usage.

2. SQL Injection Prevention

  • All database queries must run through the Prisma ORM.
  • Avoid raw SQL queries ($queryRaw) with unescaped string interpolation. If raw queries are necessary, use parameterized inputs via SQL template literals.

3. Authentication and Authorization

  • All mutating endpoints (create, update, delete) must be protected using tRPC protectedProcedure.
  • Verify resource ownership (e.g., verifying session.user.id matches the database record's organizerId or createdById) before executing updates or deletions.
  • Access to admin, organizer, and judge roles must be validated server-side using middleware checks.

4. Cross-Site Scripting (XSS)

  • Do not bypass React's default escaping behavior (e.g., avoid dangerouslySetInnerHTML) unless user input is thoroughly sanitized using a library like DOMPurify on the server.
  • Ensure all uploaded files are validated by MIME-type and size. Serve uploads via secure content headers (e.g., Content-Security-Policy, X-Content-Type-Options: nosniff).

5. CSRF and Session Security

  • Use NextAuth.js configured with HTTP-only, secure, same-site cookies for session tokens.
  • Keep X-Frame-Options header set to DENY or SAMEORIGIN to prevent clickjacking.

6. Secrets Management

  • Never commit credentials, API keys, private keys, or certificates to the repository.
  • Use environment variables (.env.local) for all local secrets.
  • Prefix environment variables meant for client execution with NEXT_PUBLIC_ only when absolutely necessary (do not expose private service credentials).

7. Dependency Scanning

  • Ensure dependencies are kept up-to-date.
  • Dependencies will be audited continuously via automated security scans on GitHub.

There aren't any published security advisories