PromptX is a MERN-stack AI chat application. It handles Google sign-in, session tokens, a MongoDB datastore, and an upstream call to the Gemini API, so we take security reports seriously and appreciate responsible disclosure.

PromptX is pre-1.0 and ships from a single active line of development. Only the latest commit on the main branch receives security fixes. If you are running an older clone, please update before reporting.

Please do not open a public GitHub issue for security problems.

Report privately through either channel:

• GitHub Security Advisory — open a draft advisory at https://github.com/SidVaidya2005/PromptX/security/advisories/new, or
• Email — siddarthvaidya2005@gmail.com with the subject line PromptX security report.

To help us triage quickly, include where you can:

• A description of the issue and the impact you believe it has.
• Steps to reproduce (a proof of concept, request samples, or a short script).
• Affected area (frontend, backend route, auth flow, dependency, etc.).
• Any suggested remediation.

• Acknowledgement within 5 business days.
• An initial assessment and severity estimate after we reproduce the issue.
• Coordinated disclosure: we will agree on a timeline with you before any public write-up, and credit you in the fix unless you prefer to stay anonymous.

This is a personal, volunteer-maintained project, so timelines are best-effort rather than contractual.

Things to keep in mind when reviewing or self-hosting PromptX:

• Secrets live in .env files and must never be committed. The backend requires MONGODB_URI, GEMINI_API_KEY, GOOGLE_CLIENT_ID, and JWT_SECRET (see Backend/.env.example). Generate JWT_SECRET with something like openssl rand -hex 32 and rotate it if you suspect exposure — rotating it invalidates all existing sessions.
• Session tokens are HS256 JWTs stored in localStorage (promptx_jwt) and sent as Authorization: Bearer <jwt>. This is convenient but readable by any script running on the page, so be conservative about third-party scripts.
• GOOGLE_CLIENT_ID must match between the backend and the frontend (VITE_GOOGLE_CLIENT_ID), and the OAuth client should be scoped to the origins you actually serve from.
• CORS is allowlisted. Only add trusted origins to ALLOWED_ORIGINS in Backend/config/constants.js.
• The Gemini API key is used server-side only. Never expose it to the frontend bundle.

• Vulnerabilities in third-party services (Google, MongoDB Atlas, the Gemini API, hosting providers) — report those to the respective vendor.
• Issues that require a compromised developer machine, a self-modified build, or physical access.
• Missing hardening that is the deployer's responsibility (e.g. running without HTTPS, leaking your own .env).

Thanks for helping keep PromptX and its users safe.