TheAuth takes security seriously. If you discover a security vulnerability, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Option 1 (preferred): Use GitHub's private vulnerability reporting: github.com/glincker/theauth/security/advisories/new

Option 2: Email support@glincker.com with the subject [Security] theauth vulnerability and include:

1. Description of the vulnerability
2. Steps to reproduce
3. Impact assessment
4. Any suggested fixes (optional)

• Acknowledgment within 48 hours
• Assessment within 5 business days
• Fix timeline communicated within 10 business days
• Public disclosure within 90 days of confirmation, coordinated with the reporter. If a fix cannot ship in that window, we will still disclose so users can mitigate.
• Credit in the security advisory (unless you prefer anonymity)

The following are in scope:

• Authentication bypass
• Authorization flaws (permission escalation, delegation bypass)
• Token leakage or prediction
• Session fixation or hijacking
• SQL injection
• Cross-site scripting (XSS) in UI components
• Cross-site request forgery (CSRF) bypass
• Cryptographic weaknesses
• Information disclosure

• Denial of service (DoS)
• Social engineering
• Issues in dependencies (report to the upstream project)
• Issues requiring physical access

When using TheAuth in production:

1. Always use HTTPS in production
2. Set strong session secrets - never use defaults
3. Enable rate limiting to prevent brute force
4. Use HIBP checking for password breach detection
5. Enable TOTP or passkeys for admin accounts
6. Rotate API keys regularly
7. Monitor the audit trail for anomalies
8. Keep theauth updated to the latest version

TheAuth has only 3 runtime dependencies:

• drizzle-orm - SQL query builder
• jose - JWT/JWS/JWE implementation
• zod - Schema validation

We actively monitor these for vulnerabilities via GitHub Dependabot.