| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email us at: security@furvur.com
Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: We will acknowledge receipt within 48 hours
- Investigation: We will investigate and validate the issue within 7 days
- Resolution: We aim to release a fix within 30 days for critical issues
- Disclosure: We will coordinate with you on public disclosure timing
When deploying Checkend, ensure you:
- Use HTTPS: Always deploy behind SSL/TLS
- Secure credentials: Use Rails encrypted credentials, never commit secrets
- Database security: Use strong passwords, restrict network access
- Keep updated: Regularly update Rails and gem dependencies
- Run security scans: Use
bin/brakemanandbin/bundler-auditregularly
We use the following tools to maintain security:
# Static analysis for Rails vulnerabilities
bin/brakeman --no-pager
# Check for known gem vulnerabilities
bin/bundler-audit
# Check JavaScript dependencies
bin/importmap auditThese checks run automatically in CI on every pull request.
Checkend includes several security features:
- Password history: Prevents reuse of last 5 passwords
- Session management: View and revoke active sessions
- API key scoping: Fine-grained API permissions
- Encrypted credentials: Sensitive data encrypted at rest
- CSRF protection: Built-in Rails CSRF tokens
- SQL injection prevention: ActiveRecord parameterized queries
We appreciate security researchers who help keep Checkend secure. Contributors who report valid vulnerabilities will be acknowledged here (with permission).