Pouranik is currently in active development and has not yet reached a stable release. We take security seriously from day one and encourage responsible disclosure of any security issues.

Note: Once we reach v1.0.0, we will maintain a formal versioning and security support policy.

• Environment Variable Protection - API keys secured via environment variables
• Input Sanitization - User inputs validated and sanitized
• HTTPS Enforcement - All external API calls use secure connections
• XSS Prevention - React's built-in XSS protection mechanisms
• Dependency Scanning - Automated vulnerability scanning via GitHub Dependabot

• Content Security Policy (CSP) headers
• Rate limiting for API calls
• Enhanced input validation
• Security headers implementation
• Authentication system (future feature)

If you discover a security vulnerability in Pouranik, please report it responsibly:

For Critical/High Severity Issues:

• Method: Create a GitHub issue with [SECURITY] prefix
• Repository: https://github.com/BhaktiMore18/Pouranika/issues/new
• Response Time: Within 48 hours
• Please DO NOT disclose security details publicly until we've addressed the issue

For Lower Severity Issues:

• Create a regular GitHub issue with the security label
• Include detailed reproduction steps
• Response time: Within 1 week

When reporting a vulnerability, please include:

Vulnerability Description:
- Clear description of the security issue
- Affected components/files
- Potential impact assessment

Reproduction Steps:
1. Step-by-step instructions
2. Required environment setup
3. Expected vs actual behavior

Environment Details:
- Browser and version
- Operating system
- Node.js version (if applicable)
- Any relevant configuration

Additional Information:
- Suggested fix (if any)
- Related security resources
- Your contact preference for follow-up

1. Acknowledgment (Within 48 hours)

   • Confirm receipt of report
   • Assign tracking number
   • Initial impact assessment

2. Investigation (1-5 days)

   • Reproduce the issue
   • Assess severity and impact
   • Develop fix strategy

3. Fix Development (1-2 weeks)

   • Implement security fix
   • Test thoroughly
   • Prepare documentation

4. Disclosure (Coordinated)

   • Deploy fix to main branch
   • Update security documentation
   • Credit reporter (if desired)

• Never commit API keys, tokens, or secrets to the repository
• Use environment variables for all sensitive configuration
• Validate and sanitize all user inputs
• Follow React security best practices
• Run security audits before submitting pull requests

# Install dependencies securely
npm ci

# Run security audit
npm audit --audit-level moderate

# Check for vulnerabilities
npm audit fix

# Correct - Use environment variables
VITE_GOOGLE_BOOKS_API_KEY=your_api_key_here

# Incorrect - Never hardcode secrets
const API_KEY = "AIzaSyD..." // DO NOT DO THIS

• No hardcoded secrets or API keys
• Input validation implemented
• External links use HTTPS
• Dependencies are up to date
• No security warnings in build output

• React Security Best Practices
• Vite Security Guide
• OWASP Frontend Security
• Node.js Security Checklist

• npm audit - Dependency vulnerability scanning
• ESLint Security Plugin - Static analysis
• Snyk - Advanced vulnerability scanning

We appreciate security researchers and contributors who help keep Pouranik secure:

No security reports have been received yet. Be the first to help us improve!

When we receive our first security report, contributors will be listed here (with their permission).

Security Questions: Create a GitHub issue with the security and question labels
General Discussion: Use GitHub Discussions
Project Repository: https://github.com/BhaktiMore18/Pouranika

This security policy applies to:

• Main Pouranik repository code
• Documentation and configuration files
• Build and deployment scripts
• Third-party integrations (Google Books API)

Out of Scope:

• Issues in third-party dependencies (report to respective maintainers)
• General web browser vulnerabilities
• Issues requiring physical access to user devices

By participating in our security disclosure program, you agree to:

• Make a good faith effort to avoid privacy violations and disruptions
• Only interact with accounts you own or have explicit permission to access
• Not access or modify user data without permission
• Report vulnerabilities as soon as possible after discovery
• Allow reasonable time for issue resolution before public disclosure

Last Updated: January 2025
Policy Version: 1.0 (Pre-release)
Next Review: Upon first stable release

Security is a shared responsibility. Thank you for helping us build a secure platform for book discovery.