| Version | Supported |
|---|---|
| Latest | ✅ |
| Older | ❌ |
We provide security updates only for the latest version of Vibe Coding.
If you discover a security vulnerability, please DO NOT open a public issue.
- Send an email to: security@vibe-coding.dev
- Include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if any)
- Within 48 hours: Initial response acknowledging receipt
- Within 7 days: Assessment and proposed remediation plan
- Within 14 days: Patch release for critical vulnerabilities
- Within 30 days: Patch release for non-critical vulnerabilities
- We will verify the vulnerability
- We will determine severity (Critical/High/Medium/Low)
- We will develop a fix
- We will coordinate release with you (if desired)
- We will publicly disclose after the fix is deployed
- Never commit
ANTHROPIC_API_KEYto version control - Use strong, unique
JWT_SECRETin production - Rotate secrets regularly
- Change default MySQL passwords in production
- Restrict database access to localhost only
- Enable SSL for database connections in production
- Regularly update MySQL to the latest version
- Keep dependencies updated (
go get -u ./...) - Use HTTPS in production (TLS 1.3+)
- Enable firewall rules to restrict access
- Enable security headers via middleware
- Regularly audit logs for suspicious activity
- Always validate and sanitize user input
- Use parameterized queries to prevent SQL injection
- Enable rate limiting to prevent abuse
- Implement CORS properly
- Keep API keys secret
Vibe Coding includes several built-in security features:
| Feature | Description |
|---|---|
| JWT Authentication | Token-based auth with configurable expiration |
| Password Hashing | bcrypt with cost factor 12 |
| Rate Limiting | Three-tier rate limiting (IP, user, API) |
| CORS Protection | Configurable origin whitelist |
| Security Headers | HSTS, X-Frame-Options, CSP, etc. |
| SQL Injection Protection | GORM parameterized queries |
| XSS Protection | Input sanitization and output encoding |
| Request Validation | Struct validation for all inputs |
We use GitHub Dependabot to automatically monitor and update dependencies. Security advisories are tracked via:
For security-related questions that are not vulnerability reports:
- Open a discussion with the
securitylabel - Email: security@vibe-coding.dev
This project has not yet undergone a professional security audit. We welcome contributions from security researchers and encourage responsible disclosure.
If you're conducting a security review, please focus on:
- Authentication and authorization flows
- Input validation and sanitization
- Database query construction
- File upload handling (if any)
- Session management
- API rate limiting
- Secret management