We actively support the following versions of FinSync360 with security updates:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
The FinSync360 team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email to: harsh@greenhacker.tech
Include the following information in your report:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
After you submit a report, here's what will happen:
-
Acknowledgment: We'll acknowledge receipt of your vulnerability report within 48 hours.
-
Investigation: We'll investigate and validate the vulnerability. This typically takes 1-7 days.
-
Response: We'll send you a response indicating the next steps in handling your report. This may include:
- Request for additional information
- Confirmation that the issue is valid
- Notification that the issue is not valid
-
Resolution: If the vulnerability is accepted, we'll work on a fix and coordinate the release timeline with you.
-
Disclosure: We'll coordinate public disclosure of the vulnerability after a fix is available.
When contributing to FinSync360, please follow these security guidelines:
- Input Validation: Always validate and sanitize user inputs
- SQL Injection: Use parameterized queries and ORM methods
- XSS Prevention: Escape output and use Content Security Policy
- Authentication: Implement proper JWT token handling
- Authorization: Verify user permissions for all operations
- Secrets Management: Never commit API keys, passwords, or secrets
- Keep dependencies up to date
- Regularly audit dependencies for vulnerabilities
- Use
npm auditandpip-auditto check for known vulnerabilities
- Use environment variables for sensitive configuration
- Implement proper CORS policies
- Use HTTPS in production
- Enable security headers (HSTS, CSP, etc.)
- All default passwords changed
- Environment variables properly configured
- Database connections encrypted
- API rate limiting enabled
- Security headers configured
- HTTPS/SSL certificates valid
- Backup and recovery procedures tested
- Monitoring and logging enabled
- Regular security updates applied
- Use strong, unique passwords
- Enable encryption at rest and in transit
- Implement proper access controls
- Regular backup and recovery testing
- Monitor for suspicious activities
- Implement rate limiting
- Use API versioning
- Validate all inputs
- Implement proper error handling
- Use CORS appropriately
- Monitor API usage
-
Authentication & Authorization
- JWT token handling
- Session management
- Role-based access control
-
Data Protection
- Personal information handling
- Financial data encryption
- Payment processing security
-
API Security
- Input validation
- Rate limiting
- Error handling
-
File Handling
- Upload validation
- Path traversal prevention
- Malware scanning
-
Third-party Integrations
- Tally ERP integration
- Payment gateway security
- External API communications
Security updates will be released as soon as possible after a vulnerability is confirmed and fixed. Updates will be communicated through:
- GitHub Security Advisories
- Release notes
- Email notifications to maintainers
Currently, we do not have a formal bug bounty program. However, we greatly appreciate security researchers who responsibly disclose vulnerabilities and will acknowledge their contributions in our security advisories.
For security-related questions or concerns:
- Email: harsh@greenhacker.tech
- Subject: [SECURITY] Your subject here
For general questions about this security policy:
- Create an issue with the label
security - Email: harsh@greenhacker.tech
We would like to thank the following security researchers for their responsible disclosure of vulnerabilities:
Remember: Security is everyone's responsibility. If you see something, say something.