The SBDK team takes the security of our software and services seriously. If you believe you have found a security vulnerability in the SBDK.dev website, we encourage you to let us know right away.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing:

Open a GitHub Issue or Security Advisory

If you prefer, you can also report via:

• Opening a private security advisory on GitHub
• Direct message to project maintainers

To help us better understand and resolve the issue, please include as much of the following information as possible:

• Type of vulnerability (e.g., XSS, CSRF, SQL injection, authentication bypass)
• Full path of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue - what an attacker could do
• Your contact information (if you'd like credit)

After you submit a vulnerability report:

1. Acknowledgment - We'll acknowledge receipt within 48 hours
2. Assessment - We'll investigate and assess the severity within 5 business days
3. Updates - We'll keep you informed about our progress
4. Resolution - We'll work to resolve critical issues as quickly as possible
5. Credit - We'll credit you in the security advisory (unless you prefer to remain anonymous)

Note: As this project is now archived as a reference implementation, active security patching is not guaranteed. However, we will review reported vulnerabilities and may provide fixes for critical issues.

This project is archived as a reference implementation (November 2025). For active projects, consider forking and maintaining your own security updates.

When deploying or contributing to SBDK.dev:

• Dependencies: Keep all npm packages up to date
• Environment Variables: Never commit sensitive data
• Authentication: Use secure authentication mechanisms
• Input Validation: Validate and sanitize all user inputs
• HTTPS: Always use HTTPS in production
• CSP: Content Security Policy headers are configured
• CORS: Cross-Origin Resource Sharing is properly configured

• Secrets Management: Use environment variables for sensitive data
• HTTPS Only: Enforce HTTPS in production
• Regular Updates: Keep Node.js and dependencies updated
• Access Control: Limit who can deploy to production
• Monitoring: Set up security monitoring and alerts

This website is a static Next.js application with the following security characteristics:

✅ No user authentication - No passwords or user data stored ✅ No database - No SQL injection risks ✅ Static content - Minimal attack surface ✅ CSP headers - Content Security Policy enabled ✅ HTTPS only - All traffic encrypted ✅ Dependency scanning - Automated via GitHub Dependabot

⚠️ Third-party scripts - Analytics, CDNs (carefully vetted) ⚠️ Client-side code - XSS prevention in React components ⚠️ Dependencies - Regular updates required

• Security issues will be disclosed publicly after a fix is released
• We aim for responsible disclosure within 90 days of initial report
• Critical issues may be disclosed sooner if actively exploited
• We'll coordinate disclosure timing with the reporter

We recognize security researchers who help keep SBDK.dev secure:

No vulnerabilities reported yet

• Security Issues: [email protected]
• General Questions: Open a GitHub Discussion
• Main Project: sbdk-dev/sbdk-dev

• OWASP Top 10
• Next.js Security Best Practices
• GitHub Security Features

Thank you for helping keep SBDK.dev secure! 🔒