We actively support the following versions of CareerPython with security updates:
| Version | Supported |
|---|---|
| 1.0.x | β |
| < 1.0 | β |
We take the security of CareerPython seriously. If you discover a security vulnerability, please follow these steps:
Do NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security vulnerabilities privately by:
- Email: Send details to [email protected]
- Subject: Use the subject line "SECURITY: [Brief description]"
- Encryption: For sensitive information, you may request our PGP key
Please include as much of the following information as possible:
- Type of vulnerability (e.g., SQL injection, XSS, authentication bypass)
- Location of the vulnerability (file path, URL, function name)
- Steps to reproduce the vulnerability
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Your contact information for follow-up questions
We will acknowledge receipt of your vulnerability report within 48 hours and provide:
- Initial assessment within 7 days
- Regular progress updates during investigation
- Target resolution timeline based on severity
- Credit in our security advisory (if desired)
We appreciate security researchers who help keep CareerPython secure:
- Public recognition in our Hall of Fame (with your permission)
- Mention in release notes for security fixes
- LinkedIn recommendation for significant findings
- Potential collaboration opportunities
CareerPython implements multiple security layers:
- JWT token-based authentication
- Argon2 password hashing
- Role-based access control (RBAC)
- Session management with secure tokens
- Input validation with Pydantic models
- SQL injection prevention via SQLAlchemy ORM
- XSS protection through output encoding
- CSRF protection for state-changing operations
- Environment variable isolation
- Secret management best practices
- Docker container security
- HTTPS encryption in production
- Security event logging
- Failed authentication tracking
- Suspicious activity detection
- Error reporting without sensitive data exposure
Never commit sensitive information to the repository:
# β DON'T DO THIS
SECRET_KEY=actual-secret-key-here
# β
DO THIS INSTEAD
SECRET_KEY=your-secret-key-here-change-in-production- Use strong database passwords
- Enable database connection encryption
- Regularly update database software
- Implement proper backup encryption
- Rate limiting on all endpoints
- Input validation on all requests
- Proper error handling without information leakage
- CORS configuration for allowed origins
- No hardcoded secrets or credentials
- Input validation for all user inputs
- Proper error handling without sensitive data exposure
- Authentication/authorization checks where needed
- SQL queries use parameterized statements
- File uploads are properly validated and sandboxed
- Regularly update dependencies to patch known vulnerabilities
- Use
uv auditto check for known security issues - Pin dependency versions for reproducible builds
- Review third-party packages before adding them
- Include security test cases
- Test authentication and authorization scenarios
- Validate input sanitization
- Test error handling scenarios
We use the following severity levels for vulnerabilities:
- Remote code execution
- SQL injection with data access
- Authentication bypass
- Response time: 24-48 hours
- Privilege escalation
- Sensitive data exposure
- Cross-site scripting (stored)
- Response time: 3-7 days
- Cross-site scripting (reflected)
- Information disclosure
- Denial of service
- Response time: 7-14 days
- Minor information disclosure
- Security configuration issues
- Response time: 14-30 days
- Vulnerability confirmed and severity assessed
- Fix developed and tested in private branch
- Security advisory prepared
- Coordinated disclosure with timeline
- Patch released with security notes
- Public disclosure after patch is available
We thank the following security researchers for their responsible disclosure:
No security vulnerabilities have been reported yet.
For security-related questions or concerns:
- Email: [email protected]
- LinkedIn: Juan MacΓas
Thank you for helping keep CareerPython and our users safe!