| Version | Supported |
|---|---|
| 0.1.x | Yes |
FoodFlow takes security seriously. If you discover a vulnerability, please do not open a public issue.
- Contact: Email jasonbmt06@gmail.com with detailed description of the vulnerability
- Response: You will receive an acknowledgment within 48 hours
- Triage: We will validate, assess severity, and confirm the timeline within 5 business days
- Fix: We will develop and test a fix. Critical vulnerabilities are patched within 7 days.
- Disclosure: We coordinate public disclosure. You will be credited in the acknowledgment section (unless you prefer to remain anonymous).
-----BEGIN PGP PUBLIC KEY BLOCK-----
(Coming soon — key will be published at https://keys.openpgp.org)
-----END PGP PUBLIC KEY BLOCK-----
In scope:
backend/— NestJS API server, Prisma ORM, WebSocket (Socket.IO), BullMQ workersweb/— Next.js admin dashboard, restaurant dashboardmobile/— Flutter customer app, driver appinfra/— Docker Compose, Nginx, observability, and deployment support- Authentication and authorization flows (JWT, RBAC, refresh token rotation)
- Rate limiting and brute-force protection
- WebSocket room isolation and GPS tracking authorization
Out of scope:
- Third-party services (Gemini API, Google Maps API) — report to those vendors directly
- Social engineering attacks
- Physical security
- Denial of Service (DoS) — we use rate limiting but cannot prevent all volumetric attacks
- Vulnerabilities in outdated dependencies not used by the project
- Issues requiring privileged access (shell on the host machine)
- Do not access, modify, or delete data that does not belong to you
- Do not degrade the service or disrupt other users
- Do not publicly disclose the vulnerability before we have had a reasonable time to fix it
- Provide sufficient details to reproduce the issue (steps, payloads, affected endpoints)
- We do not offer a monetary bounty program at this time, but we will publicly acknowledge your contribution
- JWT access token (HS256, 15 minutes)
- Refresh token rotation (7 days, blocklist in Redis)
- bcrypt password hashing (cost factor 12)
- Account lockout after 5 failed login attempts
- Role-Based Access Control (RBAC): customer, driver, restaurant, admin
- Guards on all protected endpoints
- Admin audit log records every administrative action
- Helmet security headers
- CORS restricted origins
- Rate limiting: 100 req/min global, 5 req/min login
- Input validation via Zod/class-validator
- SQL injection prevention (Prisma parameterized queries)
- WebSocket CORS origin restriction
- JWT authentication on WebSocket handshake
- Room-based access control (only order's customer can view driver location)
- No real card data stored (MVP: mock payment)
- Location data only shared with the order's customer
- PII not sent to AI assistant
- API keys excluded from git via
.gitignore
- HS256 to Ed25519 asymmetric keys
- JWKS endpoint for service-to-service auth
- Docker secrets instead of environment variables
- HTTPS/TLS with Let's Encrypt
We thank the following individuals for responsibly disclosing vulnerabilities:
| Name | Contribution | Date |
|---|---|---|
| — | (none yet) | — |
To be added here: submit a validated vulnerability report per the disclosure process above.