Skip to content

Security: lekhrocks/eka-backend

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you find a security issue, do not open a public issue. Email the maintainer directly or open a private security advisory on GitHub.

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

You should receive a response within 48 hours.

What to report

  • Hardcoded credentials, API keys, or tokens
  • JWT signing key exposure
  • OAuth2 flow bypasses
  • SQL / prompt injection vectors
  • Insecure default configurations that could lead to data exposure in production deployments

What's in scope

EKA stores and indexes potentially sensitive internal documentation and code. Vulnerabilities in authentication, authorization, data isolation, and credential management are the highest priority.

Out of scope

  • Infrastructure services started by docker compose (PostgreSQL, Redis, Kafka, Neo4j) running with dev defaults — these are documented as dev-only.
  • Rate-limit exhaustion on unauthenticated endpoints (tracked as regular issues).

There aren't any published security advisories