| Version | Supported |
|---|---|
| main | ✅ Active |
| < main | ❌ None |
Do not open a public issue for security vulnerabilities.
If you discover a security vulnerability in any XXXIII.IO component, please report it responsibly:
- Email: security@xxxiii.io
- Subject:
[SECURITY] Brief description - Include:
- Component affected (app, package, service)
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if applicable)
| Stage | Target |
|---|---|
| Acknowledgement | 24 hours |
| Initial triage | 72 hours |
| Fix development | 7–14 days (severity-dependent) |
| Disclosure | Coordinated after patch |
The following components are in scope:
- Applications: Hub, GMIIE, LPS, Studio
- Packages:
@xxxiii/db,@xxxiii/types,@xxxiii/config,@xxxiii/seo,@xxxiii/ui - Services: Ingestion pipeline, AI engine, queue workers
- Infrastructure: Docker configurations, deployment scripts, CI/CD workflows
- Third-party dependencies (report upstream, notify us)
- Social engineering attacks against XXXIII personnel
- Denial-of-service attacks against production infrastructure
| Surface | Method | Access Control |
|---|---|---|
| Studio (CMS) | NextAuth.js | Role-based: ADMIN, EDITOR, ANALYST, VIEWER |
| Public Apps | None required | Open read access |
| Internal Services | Network isolation | No public exposure |
| Ingestion API | Bearer token | Service-to-service only |
| Revalidation API | Bearer token | Pipeline-triggered |
- Database: PostgreSQL (Neon) with TLS, connection pooling via Prisma
- Secrets: Environment variable isolation per deployment target
- Input validation: Zod schemas at every service boundary
- SQL injection: Prevented by Prisma parameterized queries
- XSS: HTML sanitized via
sanitize-htmlwith allowlisted tags - External links: Enforced
rel="noopener noreferrer nofollow" - Content integrity: xxhash deduplication, immutable article history
- All editorial actions logged to
AuditLog(append-only) - Pipeline execution tracked via
JobLog - Structured JSON logging across all services (structlog for Python, console for Node.js)
- Dependabot / Renovate recommended for automated updates
pnpm auditfor Node.js vulnerability scanningpip-auditfor Python dependency scanning- Lock files committed (
pnpm-lock.yaml,requirements.txt)
Before any production deployment, verify:
- All environment variables are set and secrets are not committed
-
.envis in.gitignore -
REVALIDATION_TOKENis set and unique per environment - Database connection uses TLS
- Redis connection uses TLS in production
- Studio authentication is configured with secure session secrets
- CORS origins are restricted to known domains
- Rate limiting is enabled on public API routes
- Health check endpoints do not expose sensitive information