We take the security of AstraDraw seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: security@astradraw.io (or create a private security advisory on GitHub)

Please include the following information in your report:

• Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
• Full paths of affected source files
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue and potential attack scenarios

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity, typically within 30 days for critical issues

1. We will acknowledge receipt of your vulnerability report
2. We will investigate and validate the issue
3. We will work on a fix and coordinate disclosure timing with you
4. We will credit you in the security advisory (unless you prefer to remain anonymous)

When deploying AstraDraw, please follow these security recommendations:

• Use strong, unique passwords for all accounts
• Enable OIDC/SSO when possible for centralized authentication
• Regularly rotate JWT secrets

• Always use HTTPS in production
• Keep Traefik and other components updated
• Restrict network access to necessary ports only

• Use Docker secrets for sensitive configuration (see docs/deployment/DOCKER_SECRETS.md)
• Never commit .env files or secrets to version control
• Run containers with minimal privileges

• Regularly backup your PostgreSQL database
• Enable encryption at rest for S3/MinIO storage
• Review and restrict access to workspace data appropriately

We appreciate the security research community's efforts in helping keep AstraDraw secure. Researchers who report valid vulnerabilities will be acknowledged in our security advisories (with their permission).