If you discover a security vulnerability in this project, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please email us at: security@vstorm.co

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation within 7 days for critical issues.

Projects generated by this template include several security features:

• JWT authentication with refresh token rotation
• Password hashing via bcrypt
• CORS configuration with explicit origin allowlists
• CSRF protection middleware
• Rate limiting via slowapi
• API key authentication with secure header transport
• SQL injection prevention via SQLAlchemy parameterized queries
• Input validation via Pydantic v2 strict schemas
• Secret key validation requiring minimum 32-character keys
• HTTP-only cookies for token storage (frontend)

We follow a coordinated disclosure process. After a fix is released, we will publicly credit reporters (unless anonymity is requested).