We release patches for security vulnerabilities in the following versions:

Note: This project is currently in active development. We recommend using the latest version from the main branch for the most up-to-date security patches.

We take the security of Recipe Wizard seriously. If you discover a security vulnerability, please follow these steps:

Please DO NOT file a public issue for security vulnerabilities.

Instead, please report security vulnerabilities by:

1. GitHub Security Advisories: Use the GitHub Security Advisories feature (preferred method)
2. Private Disclosure: Contact the repository maintainers directly via GitHub's private vulnerability reporting feature

When reporting a vulnerability, please include:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact of the vulnerability
• Any possible mitigations you've identified
• Your contact information for follow-up questions

• Initial Response: We aim to acknowledge receipt of your vulnerability report within 48 hours
• Status Updates: We will provide regular updates (at minimum every 7 days) on our progress
• Resolution: We aim to resolve critical vulnerabilities within 30 days

• We will work with you to understand and resolve the issue promptly
• We request that you give us reasonable time to address the vulnerability before public disclosure
• We will credit you in the security advisory (unless you prefer to remain anonymous)
• Once the vulnerability is patched, we will publish a security advisory

When using Recipe Wizard, please follow these security guidelines:

• Never commit your .env file to version control
• Keep your API keys secure and rotate them regularly
• Use different API keys for development and production environments

This application uses several third-party APIs. Secure your keys:

• Supabase: Use Row Level Security (RLS) policies
• Spoonacular API: Monitor usage and set rate limits
• Google Gemini API: Restrict API key usage to your domain
• Kroger API: Keep client secrets secure on the server side

• Regularly update dependencies to get security patches
• Run npm audit to check for known vulnerabilities
• Review dependency updates before applying them

• Use strong passwords for your Supabase account
• Enable multi-factor authentication where available
• Regularly review and revoke unused API tokens

This application integrates with external APIs:

• Spoonacular API for recipe data
• Google Gemini AI for chat functionality
• Kroger API for pricing information
• Supabase for authentication and data storage

Users should review the security and privacy policies of these services.

• User data is stored in Supabase (PostgreSQL)
• Ensure proper Row Level Security policies are configured
• Regularly backup your data

• API keys prefixed with VITE_ are bundled in the client-side code and visible to users
• Only use VITE_ prefix for API keys that are safe for public/client-side use
• Use server-side proxies for sensitive API operations (e.g., the Kroger API proxy)
• Implement proper CORS policies

Security updates will be announced through:

• GitHub Security Advisories
• Release notes in GitHub Releases
• Updates to this SECURITY.md file

If you have questions about this security policy, please open a general issue (not for vulnerability reports) or contact the maintainers.

Last Updated: November 2025