This security policy applies to the ImpactHub project, which is part of SLIIT (Sri Lanka Institute of Information Technology) academic coursework. While this is an educational project, we maintain security best practices as part of our learning objectives.

As an academic project, we focus on the latest development version:

If you discover a security vulnerability in this academic project:

1. DO NOT create a public issue
2. Report immediately to project group members:
   • Janitha Gamage (Project Lead)
   • Dewmini Navodya (Scrum Master)
   • Contact through official SLIIT channels

1. Initial Report

   • Email project team members
   • Include a detailed description of the vulnerability
   • Provide steps to reproduce (if applicable)
   • Mention potential impact

2. Response Timeline

   • Initial acknowledgment: Within 48 hours
   • Assessment completion: Within 1 week
   • Fix implementation: Within 2 weeks (depending on complexity)

1. Authentication & Authorization

   // Use proper authentication middleware
   const jwt = require('jsonwebtoken');
   const bcrypt = require('bcrypt');
   
   // Hash passwords before storing
   const saltRounds = 12;
   const hashedPassword = await bcrypt.hash(password, saltRounds);

2. Input Validation & Sanitization

   // Validate and sanitize all inputs
   const { body, validationResult } = require('express-validator');
   
   // Example validation
   body('email').isEmail().normalizeEmail(),
   body('amount').isNumeric().isFloat({ min: 0.01 })

3. SQL Injection Prevention

   // Use parameterized queries
   const query = 'SELECT * FROM users WHERE email = ?';
   db.query(query, [email], callback);

4. Rate Limiting

   // Implement rate limiting
   const rateLimit = require('express-rate-limit');
   const limiter = rateLimit({
     windowMs: 15 * 60 * 1000, // 15 minutes
     max: 100 // limit each IP to 100 requests per windowMs
   });

1. XSS Prevention

   // React automatically escapes JSX
   // Avoid dangerouslySetInnerHTML unless necessary
   <div>{userInput}</div> // Safe

2. Secure API Calls

   // Use HTTPS in production
   // Implement proper error handling
   const apiCall = async (endpoint, data) => {
     try {
       const response = await fetch(`${API_BASE_URL}${endpoint}`, {
         method: 'POST',
         headers: {
           'Content-Type': 'application/json',
           'Authorization': `Bearer ${token}`
         },
         body: JSON.stringify(data)
       });
       return response.json();
     } catch (error) {
       // Handle errors securely
       console.error('API call failed:', error);
       throw new Error('Request failed');
     }
   };

1. Environment Variables

   # .env file (never commit to repository)
   DB_CONNECTION_STRING=mongodb://localhost:27017/impactHub
   JWT_SECRET=your-super-secret-jwt-key-here
   API_KEY=your-api-key-here
   NODE_ENV=development

2. Dependencies Security

   # Regularly audit dependencies
   npm audit
   npm audit fix
   
   # Keep dependencies updated
   npm update

Before submitting a pull request, ensure:

• No sensitive data (passwords, API keys, secrets) in code
• All user inputs are validated and sanitized
• Authentication is properly implemented
• Authorization checks are in place
• Error messages don't leak sensitive information
• Dependencies are up to date and secure
• HTTPS is used for all external API calls
• Proper session management is implemented

• ❌ Storing passwords in plain text
• ❌ Weak password requirements
• ❌ Missing authentication on protected routes
• ❌ Improper session management

• ❌ SQL injection vulnerabilities
• ❌ Cross-site scripting (XSS)
• ❌ Command injection
• ❌ Path traversal attacks

• ❌ Sensitive data in logs
• ❌ Detailed error messages in production
• ❌ Unencrypted sensitive data storage
• ❌ Missing access controls

• ❌ Default credentials
• ❌ Unnecessary services enabled
• ❌ Missing security headers
• ❌ Improper CORS configuration

1. Static Analysis

   # ESLint security plugin
   npm install --save-dev eslint-plugin-security
   
   # Dependency vulnerability scanner
   npm audit

2. Runtime Security

   # Helmet.js for security headers
   npm install helmet
   
   # Express rate limiting
   npm install express-rate-limit

• OWASP Top 10
• Node.js Security Best Practices
• React Security Guidelines

This security policy serves the following academic learning objectives:

1. Understanding Security Fundamentals

   • Learn common web application vulnerabilities
   • Understand secure coding practices
   • Implement proper authentication and authorization

2. Industry Best Practices

   • Follow security guidelines used in professional development
   • Learn to use security tools and scanners
   • Understand the importance of security in software development

3. Responsible Disclosure

   • Learn how to report security issues appropriately
   • Understand the impact of security vulnerabilities
   • Practice ethical security research

• All security practices must comply with SLIIT academic policies
• Security testing should only be performed on this academic project
• Do not attempt to test security on external systems
• Report any security concerns through proper academic channels

For security-related questions or concerns:

• Project Team: Contact through SLIIT official channels
• Academic Supervisor: Through university email system
• Emergency: Follow SLIIT incident reporting procedures

Note: This security policy is part of academic coursework and serves educational purposes. Real-world security implementations may require additional considerations and professional security audits.