Security policy

Reporting a vulnerability

Please report security issues privately via email rather than opening a public GitHub issue:

Encrypted reports welcome — PGP key on request.

We aim to acknowledge reports within 48 hours and triage within 7 days.

Reports requiring physical access to a user's device
Self-XSS that requires the victim to type code into devtools
Vulnerabilities in third-party services we depend on (Postgres, Redis, Caddy, Next.js) — please report those upstream
Best-practice nags from automated scanners without a working PoC
Issues that only affect our public marketing site
Rate-limit complaints that don't lead to abuse

We don't yet run a formal bounty program. Reports that lead to a fix will be credited (with permission) in our release notes.

Tenant isolation — every tenant-scoped table has Postgres Row-Level Security; the application sets app.tenant_id per-transaction; bypass requires explicit app.bypass_rls = '1' and only the ADMS receiver + super-admin endpoints flip it.
Biometrics — ZKTeco devices may push fingerprint/face templates. Our ADMS parser drops USERPIC, FACE, FP, BIODATA, FINGERTMP, ATTPHOTO rows BEFORE persisting. We never store biometric templates.
Custom-domain SSL — Caddy on-demand TLS is gated by /api/internal/tls-check; only domains in tenant_domains with status verified|active get certificates issued.
Production guards — the API refuses to boot if JWT_SECRET is short / default, if CORS_ORIGINS contains *, or if BASE_DOMAIN looks like localhost (see apps/api/atgo_api/main.py).