Only the latest version on the main branch receives security updates.
| Version / Branch | Supported |
|---|---|
main (latest) |
β Actively patched |
| Older tags | β Not supported |
| Forks | β Not supported |
Please do NOT open a public GitHub Issue for security vulnerabilities.
Public disclosure before a patch is ready puts all users at risk.
Send a detailed report to:
π§ kumar.gaurav.yadav2007@gmail.com
Use the subject line: [SECURITY] <short description>
Our machine-readable security contact is available at:
/.well-known/security.txt
A good vulnerability report helps us fix the issue faster. Please include:
1. π Affected URL / component / file
2. π Type of vulnerability (e.g., XSS, SSRF, injection, auth bypass, ...)
3. π Step-by-step reproduction instructions
4. π₯ Potential impact / what an attacker could achieve
5. π Your environment (browser, OS, Node version if relevant)
6. πΈ Screenshots or a proof-of-concept (non-destructive only)
| Stage | Target time |
|---|---|
| π¬ Initial acknowledgement | β€ 48 hours |
| π Triage & severity rating | β€ 5 days |
| π οΈ Patch / mitigation | β€ 14 days |
| π’ Public disclosure (if any) | After patch |
Researchers who report valid vulnerabilities and follow responsible disclosure will be credited here (with permission).
No entries yet β be the first!
The portfolio implements the following defenses:
| Layer | Measure |
|---|---|
| π HTTP Headers | Helmet.js β strict CSP, HSTS, X-Frame-Options |
| π¦ Rate Limiting | 100 req / 15 min per IP on all API endpoints |
| β Input Validation | express-validator on every form endpoint |
| π§Ή Data Sanitization | MongoDB injection prevention via Mongoose |
| π CORS | Strict origin allowlist β no wildcard |
| π‘οΈ XSS | dangerouslySetInnerHTML only on trusted, sanitized blog HTML |
| π Fingerprinting | Origin token ggauravky-4f9e-orig-portfolio-2026 for clone detection |
The following are not considered security vulnerabilities for this project:
- Issues in forked or cloned copies of this repository
- Social engineering attacks targeting the author
- Self-XSS or attacks requiring physical access to a victim's device
- Denial-of-service via brute-force without a meaningful exploit path
- Bugs in third-party dependencies (please report those upstream)
- Missing security headers on static assets served by Vercel/Render (platform controlled)
Authorized security research is welcome. Any testing must be:
- Limited to your own accounts / data
- Non-destructive β never delete, modify, or exfiltrate real user data
- Performed against the live site only if no sandbox data is affected
Unauthorized access, data exfiltration, or destructive testing will be reported to relevant authorities.
Β© 2026 Gaurav Kumar Yadav β All Rights Reserved
Portfolio Β· GitHub Β· Report Issue