Skip to content

Security Policy

Supported Versions

Version Supported
Latest
1.x
< 1.0

Reporting a Vulnerability

We take the security of DocShare seriously. If you discover a security vulnerability, please report it responsibly.

How to Report

Please open an issue on GitHub to report security vulnerabilities.

When reporting a vulnerability, please include:

  • Description: Clear description of the vulnerability
  • Steps to Reproduce: Detailed steps to reproduce the issue
  • Impact: Potential impact of the vulnerability
  • Environment: Version and environment details
  • Proof of Concept: If available, a minimal proof of concept

Response Timeline

  • Initial Response: We will acknowledge receipt within 48 hours
  • Detailed Response: We will provide a detailed response within 7 days
  • Patch Timeline: We aim to release a patch within 30 days of disclosure

Security Coordinators

Report security issues via GitHub Issues.

Security Best Practices

For Deployments

  1. Change Default Credentials
  2. Update database credentials in production
  3. Configure S3 credentials or IAM roles with least-privilege access

  4. Use a strong JWT secret (minimum 32 characters)

  5. Network Security

  6. Use HTTPS in production
  7. Configure firewall rules

  8. Limit database access to application servers only

  9. S3 Storage Security

  10. Enable server-side encryption (SSE-S3 or SSE-KMS) for all buckets
  11. Use bucket policies to restrict access to authorized IAM roles only
  12. Enable S3 Object Lock for compliance requirements
  13. Configure bucket versioning for accidental deletion protection
  14. Block public access at the bucket level

  15. Use VPC endpoints for private connectivity to S3

  16. Environment Variables

  17. Never commit secrets to version control
  18. Use environment-specific configurations

  19. Regularly rotate secrets

  20. Container Security

  21. Use official Docker images
  22. Regularly update base images
  23. Scan images for vulnerabilities

For Development

  1. Local Development
  2. Use different credentials than production
  3. Keep development and production data separate

  4. Use HTTPS locally when possible

  5. Code Security

  6. Review code for security issues
  7. Use security scanning tools
  8. Follow secure coding practices

Security Features

DocShare includes several security features:

  • Authentication: JWT-based authentication with configurable expiration
  • Authorization: Role-based access control (RBAC)
  • Password Security: bcrypt hashing for password storage
  • File Security: Presigned URLs for secure file access
  • Input Validation: Server-side validation for all inputs
  • CORS Protection: Configurable CORS settings
  • File Upload Limits: Configurable file size restrictions
  • Audit Logging: Comprehensive audit trail tracking all user actions (uploads, downloads, shares, logins, admin operations) with IP address and request correlation, automatically exported to S3
  • API Tokens: SHA-256 hashed at rest, raw token shown once, prefix stored for display
  • Device Flow: Codes SHA-256 hashed, 15-minute expiry, single-use (hard deleted after token issuance)

Known Security Considerations

Current Limitations

  1. File Type Validation: Currently relies on MIME type detection
  2. Rate Limiting: Not implemented in current version

Future Improvements

  • Rate limiting for API endpoints
  • File content scanning for malware
  • Multi-factor authentication support

Security Updates

We will announce security updates through:

  • GitHub Security Advisories
  • Release notes
  • Project documentation

Users are encouraged to:

  • Monitor for security updates
  • Update to patched versions promptly
  • Review security advisories for impact assessment

Responsible Disclosure Policy

We follow a responsible disclosure policy:

  1. Private Reporting: Security issues should be reported privately
  2. Coordination: We will coordinate with reporters on disclosure timing
  3. Credit: We will credit reporters who follow this policy
  4. Legal Protection: We will not pursue legal action against researchers who follow this policy

Security Resources

Tools and Libraries

  • Go Security: https://gosec.github.io/
  • Node.js Security: https://nodejs.org/en/security
  • OWASP: https://owasp.org/
  • Docker Security: https://docs.docker.com/security/

Further Reading

Questions

If you have questions about this security policy or need to report a security issue, please open an issue on GitHub.

Thank you for helping keep DocShare and its users safe! 🛡️