The following versions of PMOVES-DoX are currently supported with security updates:

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. Do NOT create a public GitHub issue for security vulnerabilities
2. Email security concerns to the repository maintainers via GitHub private messaging
3. Include as much detail as possible:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours of your report
• Initial Assessment: Within 1 week
• Resolution Timeline: Depends on severity
  • Critical: 24-72 hours
  • High: 1-2 weeks
  • Medium: 2-4 weeks
  • Low: Next scheduled release

• We will work with you to understand the issue
• We will develop and test a fix
• We will credit you in the security advisory (unless you prefer anonymity)
• We will coordinate disclosure timing with you

• Never commit .env files with real credentials
• Use .env.example as a template
• Rotate credentials regularly
• Use strong, unique passwords

• Keep Docker images updated
• Use non-root users in containers
• Limit container privileges
• Scan images for vulnerabilities

• Use strong database passwords
• Enable SSL/TLS for database connections
• Regularly backup data
• Limit database access to necessary services

• Use HTTPS in production
• Implement rate limiting
• Validate all inputs
• Keep dependencies updated

PMOVES-DoX implements JWT-based authentication using Supabase JWT validation:

• Algorithm: HS256 (HMAC-SHA256) with shared secret

• Dependency: python-jose[cryptography] >= 3.5.0 (CVE fixes included)

• Environment Variables:

  • SUPABASE_JWT_SECRET: Required for JWT validation in production
  • ENVIRONMENT: Defaults to production (set to development for bypass mode)
  • FRONTEND_ORIGIN: CORS-allowed origins (comma-separated)

• Authentication Modes:

  • require_auth: Requires valid JWT, rejects anonymous tokens
  • get_current_user: Returns authenticated user ID
  • optional_auth: Allows anonymous access with logging

• Production Safeguards:

  • Startup raises RuntimeError if python-jose not installed in production
  • Startup raises RuntimeError if SUPABASE_JWT_SECRET not configured in production
  • Anonymous Supabase tokens (role="anon") are explicitly rejected

• Protected Endpoints:

  • /search/rebuild - Search index rebuild (authentication required)
  • /documents/delete/* - Document deletion (authentication required)
  • Database reset operations (authentication required)

• SQLite database is stored locally
• Ensure proper file permissions on backend/db.sqlite3

• Credentials shared with PMOVES.AI ecosystem
• Ensure network isolation between services
• Use environment variable substitution for secrets

Security updates are released as patch versions. Subscribe to repository releases to stay informed.

We follow responsible disclosure practices. Please allow us reasonable time to address vulnerabilities before public disclosure.

Thank you for helping keep PMOVES-DoX secure!