We provide security updates for actively maintained services in the DEAF-FIRST Platform:
| Service | Supported | Notes |
|---|---|---|
| DeafAUTH | ✅ | Identity and authentication |
| PinkSync | ✅ | 1 Layer Accessibility Control |
| Fibonrose | ✅ | Trust metrics and AI workflows |
| Pinkflow | ✅ | AI & Accessibility pipelines |
| VR4deaf | ✅ | VR pathways and immersive apps |
Older versions or archived builds are not supported.
We take security seriously. If you discover a vulnerability:
- Do not open a public issue.
- Email the security steward team at:
security@yourdomain.org - Include:
- A clear description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested mitigation (if known)
We will acknowledge receipt within 24 hours and provide updates within 7 days.
- All code must pass linting, tests, and security scans before merging.
- Secrets are stored in
.envfiles or vaults — never committed. - Dependencies are pinned (
deno.lock,package-lock.json) and audited regularly. - Role-based access enforced across all services, with DeafAUTH as the identity backbone.
- Each service uses its own Postgres schema (
deafauth,pinksync,fibonrose, etc.). - Sensitive data is encrypted at rest and in transit (TLS, AES).
- Logs exclude secrets and personally identifiable information (PII).
- Vulnerabilities reported via email or GitHub Security tab.
- Critical issues addressed within 24 hours.
- Non-critical issues addressed within 7 days.
- All incidents documented in the repository.
- WCAG 2.1 AAA accessibility standards are enforced across all apps.
- GDPR/CCPA compliance is maintained for user data.
- Quarterly audits ensure compliance and accessibility.
- This policy is reviewed quarterly.
- New projects must adopt this policy before deployment.
- Contributors are encouraged to propose improvements via pull requests.
For security concerns, contact:
Security Steward Team
Email: security@360magicians.com