We take security seriously. If you discover a vulnerability, please follow these steps:
- Do not create a public issue. Contact maintainers securely using
ashishparab03@gmail.com. - Provide steps to reproduce, affected versions, and any PoC if possible.
- We will acknowledge within 48 hours and work on a fix.
For third-party dependency vulnerabilities, we use Dependabot and scheduled audits.
Sensitive data should never be committed to the repo. Use .env and update .gitignore as needed.
Thank you for helping keep KisanAI secure! This document describes our security practices and how to report vulnerabilities responsibly.
If you discover a vulnerability, please create a private issue or email the maintainers listed in CODEOWNERS with steps and reproduction. Do not post publicly until fixed.
Security contact: See SUPPORT.md for contact channels and escalation.
- Supported Versions
- Security Practices
- Reporting Vulnerabilities
- Our Response Process
- Security Best Practices
- Known Security Considerations
We maintain security support for:
| Version | Status | Support Until |
|---|---|---|
| v1.0.x | β Stable | Dec 2025 |
| v0.4.x | β Stable | Sep 2025 |
| v0.3.x | Jun 2025 | |
| v0.2.x | β Unsupported | Mar 2025 |
| < v0.2 | β Unsupported | - |
Security Updates: Released within 24-48 hours of discovery Feature Updates: Released monthly in stable versions
- β Type Safety: Mandatory TypeScript for type checking
- β
Dependency Audits:
npm auditbefore each release - β Code Review: All code reviewed before merge
- β OWASP Compliance: Follow OWASP Top 10
- β Input Validation: Sanitize all user inputs
- β Output Encoding: Encode outputs to prevent XSS
- β Encryption: HTTPS/TLS for all communications
- β Data Encryption: Encrypt sensitive data at rest
- β Access Control: Implement proper authentication/authorization
- β Privacy: GDPR and local privacy compliance
- β Data Retention: Clear data deletion policies
- β Audit Logging: Log security-relevant events
- β Infrastructure as Code: Secure configuration management
- β Secrets Management: Use environment variables, not hardcoded secrets
- β Monitoring: Real-time security monitoring
- β Incident Response: Have an incident response plan
- β Regular Updates: Keep dependencies updated
- β Security Headers: Implement security headers
- β Git Security: Protect main branch with required reviews
- β CI/CD Security: Secure build and deployment pipeline
- β Dependency Management: Track and update dependencies
- β Secret Scanning: Detect accidentally committed secrets
- β Security Tests: Automated security testing in CI
- β Documentation: Security documentation for developers
DO NOT open a public issue for security vulnerabilities.
Instead, please email:
ashishparab03@gmail.com
Subject line: [SECURITY] Vulnerability Report - [Brief Description]
Please provide:
-
Description
- What is the vulnerability?
- What can an attacker do with it?
- How severe is it?
-
Affected Component
- Which file(s) are affected?
- Which version(s) are vulnerable?
- When was it introduced?
-
Steps to Reproduce
- Clear, step-by-step instructions
- Include sample code if helpful
- Specify environment (browser, OS, etc.)
-
Impact
- Who is affected? (All users? Specific roles?)
- What data could be compromised?
- What systems could be affected?
-
Proof of Concept
- Optional: Minimal code demonstrating the issue
- Do not include:
- Full exploit code
- Real user data
- Any personally identifiable information
-
Your Information
- Name and contact info (can be anonymous)
- PGP key (optional, if you want encrypted response)
Subject: [SECURITY] SQL Injection in farmer search
Description:
The search functionality in /farmer-search endpoint is vulnerable to SQL injection.
Affected Component:
- File: src/api/routes/farmers.js (line 125)
- Version: v0.3.0, v0.4.0
- Introduced: v0.3.0
Steps to Reproduce:
1. Navigate to /search
2. Enter: ' OR '1'='1
3. Observe: Returns all farmers regardless of input
Impact:
- All farmer data could be exposed
- Users could modify other users' data
- Authentication could be bypassed
Code:
The query uses string concatenation:
const query = `SELECT * FROM farmers WHERE name = '${input}'`
PoC:
curl "http://localhost:3000/api/search?q=%27%20OR%20%271%27=%271"
- We'll confirm receipt of your report
- Provide you with a ticket number
- Estimate timeline for fix
- We reproduce the vulnerability
- Assess severity and impact
- Identify affected versions
- Plan a fix
- Fix the vulnerability
- Write security tests
- Prepare patch release
- Test the fix thoroughly
- Verify it doesn't introduce new issues
- Get your approval (if possible)
- Release security update
- Publish security advisory
- Public announcement
- Recognize reporter (if desired)
- Add to security advisories
- Public thanks
We classify vulnerabilities using CVSS v3.1:
- π΄ Allows complete system compromise
- π΄ Exposes all user data
- π΄ Enables remote code execution
- β±οΈ Fix Target: 24 hours
- β±οΈ Release Target: 48 hours
- π Significant impact on security
- π Could compromise multiple accounts
- π Exposes sensitive data
- β±οΈ Fix Target: 72 hours
- β±οΈ Release Target: 1 week
- π‘ Moderate security impact
- π‘ Affects specific users/data
- π‘ Requires specific conditions
- β±οΈ Fix Target: 1 week
- β±οΈ Release Target: 2 weeks
- π’ Minor security impact
- π’ Affects edge cases
- π’ Limited real-world impact
- β±οΈ Fix Target: 2 weeks
- β±οΈ Release Target: Next release
- β Keep your browser updated
- β Use strong, unique passwords
- β Enable two-factor authentication
- β Don't share your API keys
- β Report suspicious activity
- β Keep your OS and apps updated
- β Never commit secrets (API keys, passwords)
- β Always validate user input
- β Use parameterized queries
- β Implement proper authentication
- β Use security headers
- β Keep dependencies updated
- β Write security tests
- β Review security implications in PRs
- β Follow secure coding practices
- β Think about security in code review
- β Report issues responsibly
- β Help improve security docs
- β Participate in security discussions
API Rate Limiting
- Status: π‘ Partially implemented
- Plan: Implement in v0.5.0
2FA Support
- Status: π΄ Not implemented
- Plan: Implement in v0.4.0
Encryption at Rest
- Status: π‘ Partial (new data only)
- Plan: Complete migration in v0.5.0
API Key Rotation
- Status: π‘ Manual process
- Plan: Automated in v1.0.0
Session Management
- Status: π‘ Basic implementation
- Plan: Enhanced in v0.4.0
| Issue | Severity | Target Version | Timeline |
|---|---|---|---|
| Rate Limiting | High | v0.5.0 | Q2 2025 |
| 2FA | High | v0.4.0 | Q1 2025 |
| Full Encryption | High | v0.5.0 | Q2 2025 |
| Key Rotation | Medium | v1.0.0 | Q4 2025 |
| Advanced Sessions | Medium | v0.4.0 | Q1 2025 |
For encrypted communication, use our PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[Key details here]
-----END PGP PUBLIC KEY BLOCK-----
We're grateful to security researchers who responsibly disclose vulnerabilities:
2024 Security Contributors:
- [Coming soon: First researcher names]
Special Thanks To:
- OWASP for security guidelines
- The security research community
- π§ Security Issues: ashishparab03@gmail.com
- π GitHub: @security-team
- π Emergency: contact maintainers directly
This policy is reviewed:
- Quarterly: Security practices review
- Annually: Comprehensive security audit
- As Needed: In response to new threats
Last Updated: December 2024
Thank you for your vigilance and responsible disclosure.