Thank you for your interest in the security of LearnFlow BACKEND. We take the protection of our users and their data seriously. This document outlines our security policy and responsible disclosure guidelines.

We maintain active support and security updates for the latest major release of LearnFlow BACKEND. Please refer to the repository’s Releases page for information on the currently supported version(s).

If you are using an older version, we strongly encourage you to upgrade to the latest release to benefit from the newest security patches and features.

We appreciate your efforts to disclose vulnerabilities responsibly. If you discover a potential security issue or vulnerability in this project, please do not publicly disclose it until we have had a chance to address it.

1. Contact Method
   Send a detailed description of the issue, including steps to reproduce and any relevant information, to our dedicated security email:

   • Email: grbulegoda@gmail.com

2. Encrypted Communication (Optional)
   If you prefer to encrypt your email, please indicate that in your initial message, and we will coordinate a secure communication channel.

3. LinkedIn & Portfolio
   Alternatively, you may reach out via:

   • LinkedIn
   • Portfolio

   However, email remains the preferred channel for reporting sensitive security matters.

4. Response Time
   We strive to respond within 72 hours to acknowledge receipt of your report. We will provide an initial assessment and may request additional information to help reproduce or confirm the vulnerability.

1. Investigation & Confirmation
   Upon receiving your report, we will investigate the issue to confirm its validity and impact. If the vulnerability is confirmed, we will work on a fix or mitigation strategy.

2. Patch or Mitigation Release
   Once a fix is developed and tested, we will release it in the next appropriate version of the software. We will also notify you when the fix is available, crediting your contribution if desired and appropriate.

3. Public Disclosure
   After the patch is released, we may publicly disclose the nature of the vulnerability to ensure users are aware and can upgrade promptly. We will coordinate with you on the public disclosure timeline to ensure responsible communication.

Currently, LearnFlow BACKEND does not have a formal bug bounty program. However, we are grateful for any responsible disclosures and may offer public recognition for verified and impactful reports.

• Keep Dependencies Updated
  Always update your dependencies to the latest secure versions.
• Use HTTPS & Secure Channels
  Deploy the backend over HTTPS to ensure secure data transmission.
• Practice Least Privilege
  Assign minimal privileges required for database and environment-level access.

Your efforts in discovering and responsibly reporting vulnerabilities are invaluable to maintaining a secure environment for all users of LearnFlow BACKEND. We appreciate your support and commitment to security.

Last updated: February 18, 2025