Crosswise is a browser-only SPA deployed continuously to Cloudflare Pages. There are no long-lived release branches — users always receive the latest deployed version automatically. Security fixes are applied to main and promoted to production within one business day.

If you are self-hosting Crosswise, keep your fork in sync with main to receive security fixes.

Please do not open a public GitHub Issue for security vulnerabilities.

Report privately via GitHub Security Advisories. This lets us triage and patch before public disclosure.

Include as much of the following as possible:

• A clear description of the vulnerability and its impact
• Steps to reproduce (or a proof-of-concept)
• The browser, OS, and Crosswise version (URL + date is sufficient)
• Any relevant network traces or screenshots (redact tenant data)

We will keep you informed at each milestone. If a reported vulnerability is declined we will explain why. Credit is given in the release notes unless you prefer to remain anonymous.

Understanding the architecture helps scope valid reports.

• Runs entirely in the user's browser — no server-side processing of tenant data
• Authenticates via PKCE S256 (no client secret, no implicit flow)
• Makes read-only Microsoft Graph API calls using a delegated access token
• Stores tokens and state in sessionStorage only (cleared when the tab closes)

• Transmit, log, or persist any tenant data to Aboutcloud servers
• Store credentials, tokens, or tenant data beyond the browser session
• Use a backend API that holds tenant information
• Request write permissions to Microsoft Graph
• Access user content (mail, files, messages, calendars)

None of these permissions grant write access or access to user-generated content.

The following are considered valid security reports:

• XSS — injecting arbitrary script into the dashboard from Graph API responses
• CSP bypass — circumventing the Content-Security-Policy header
• Token exposure — access tokens leaving sessionStorage or being sent to a third party
• PKCE flow weaknesses — state/nonce bypass, redirect URI manipulation
• Data exfiltration — tenant data sent to any host other than graph.microsoft.com or login.microsoftonline.com
• Supply chain — malicious code introduced via an npm dependency
• Cloudflare misconfiguration — WAF rules or security headers that fail to block a known attack class
• Sensitive data in source — credentials, tokens, or operator-specific values committed to the public repository

The following are not considered valid reports for this project:

• Vulnerabilities in Microsoft Graph API or Entra ID itself — report those to Microsoft MSRC
• Vulnerabilities in Cloudflare's platform — report those to Cloudflare
• Missing security headers that are already set by the Cloudflare Response Header Transform (verify against a live request, not the static public/_headers file)
• Rate limiting of the Graph API — this is governed by Microsoft's throttling policy
• Self-XSS (requires the user to paste code into the browser console)
• Attacks that require physical access to the user's device
• Social engineering of the user or the Aboutcloud team
• Scanner findings with no demonstrated impact (automated Nuclei/ZAP reports without a PoC)
• The fact that tenant data is visible in sessionStorage — this is by design and documented; the data is accessible only to the authenticated user in their own browser session

• Dependabot is enabled and opens PRs for outdated or vulnerable npm dependencies automatically.
• Trivy runs a filesystem vulnerability scan on every push and pull request (.github/workflows/security-scan.yml).
• Scan results are uploaded to GitHub Security Code scanning alerts.

For questions about this policy or the security model contact security@aboutcloud.io or open a private advisory.