We currently support the main branch of eventmappr. Older or archived branches may not receive security updates.
| Version | Supported |
|---|---|
| main | β Yes |
| others | β No |
If you find a security vulnerability in eventmappr, please report it privately to prevent misuse.
Instead, report it discreetly by emailing the maintainer.
Please include:
- A detailed description of the issue
- Steps to reproduce the vulnerability (if applicable)
- The impact and potential threat level
- Suggested fixes or recommendations (optional but helpful)
We aim to:
- β±οΈ Acknowledge your report within 3 working days
- π οΈ Investigate and patch valid issues within 14 days, depending on severity
You're encouraged to report:
- XSS (Cross-Site Scripting)
- CSRF vulnerabilities
- Open redirects
- Exposure of sensitive event or location data
- Authentication/authorization bypass
- Insecure API endpoints
Please do not report:
- Automated scans without proof-of-concept
- Issues in third-party dependencies unless directly exploitable
- Outdated libraries with no active exploitation path
- Avoid running disruptive tests on any live deployment
- Do not access, modify, or delete user/admin data
- Use test accounts where available
- Do not publicly disclose vulnerabilities before they are patched
If contributing to eventmappr:
- Sanitize all user inputs (especially location/event names)
- Validate coordinates and form data on both client and server sides
- Avoid exposing sensitive API keys or secrets
- Use secure headers and enforce HTTPS
This project may use:
- React
- Map APIs (e.g., Leaflet, Google Maps)
- Node.js/Express (if backend exists)
- Firebase or other cloud services
π Run npm audit and npm audit fix regularly to check for vulnerabilities.
We believe in responsible disclosure and value input from the developer and security community. All valid reports will be acknowledged and credited (if desired).
π Thank you for helping keep eventmappr safe for everyone!