Security Policy¶
Supported Versions¶
We actively maintain and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | :white_check_mark: |
Reporting a Vulnerability¶
We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:
1. DO NOT open a public issue¶
Security vulnerabilities should be reported privately to avoid exploitation.
2. Contact Us¶
Please report security vulnerabilities via:
- Email: security@easysale.de
- GitHub Security Advisories: Use the "Security" tab in this repository
3. What to Include¶
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
- Your contact information
4. Response Timeline¶
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: Within 24-48 hours
- High: Within 7 days
- Medium: Within 30 days
- Low: Next release cycle
Security Measures¶
Automated Security Scanning¶
This project uses multiple layers of security scanning:
- Dependabot: Automated dependency updates and security alerts
- GitHub Actions: CI/CD security checks on every push
- npm audit: Regular vulnerability scans for Node.js dependencies
- Flutter pub outdated: Regular checks for outdated Flutter packages
Security Implementation¶
See our comprehensive security documentation: - SECURITY_IMPLEMENTATION.md - Cloud Functions security - DEPENDENCY_SCANNING_KONZEPT.md - Dependency scanning strategy - SECURITY_AUDIT_REPORT.md - Security audit findings
Key Security Features¶
✅ Session Management: Automatic token refresh and timeout
✅ Input Validation: Comprehensive request validation
✅ Authorization: Role-based access control (User/Admin/SuperAdmin)
✅ Rate Limiting: DDoS and brute-force protection
✅ Dependency Scanning: Continuous monitoring for vulnerabilities
Responsible Disclosure Policy (Vulnerability Reporting)¶
Scope¶
In-Scope:
- easySale Shop System (Web-App & Mobile)
- easySale ERP System (Web-App & Mobile)
- Firebase Cloud Functions (functions/)
- Firestore Security Rules
Out-of-Scope: - Social Engineering (Phishing, Vishing etc.) - Physical attacks - Denial-of-Service (DoS/DDoS) - Vulnerabilities in third-party services (Firebase, Google Cloud) - Automated scanner findings without proof of exploitability
Bug Bounty¶
Wir betreiben kein monetäres Bug-Bounty-Programm. Wir bedanken uns jedoch bei verantwortungsvollen Meldern durch: - Öffentliche Nennung in unseren Release Notes (auf Wunsch) - Bestätigung und Anerkennung per E-Mail
Prozess¶
Wir folgen dem Responsible-Disclosure-Prinzip:
- Melder kontaktiert uns privat via security@easysale.de
- Wir bestätigen den Empfang innerhalb von 48 Stunden
- Wir untersuchen und bewerten die Schwachstelle (innerhalb von 7 Tagen)
- Wir entwickeln und testen einen Fix
- Wir veröffentlichen den Fix
- Koordinierte öffentliche Offenlegung (abgestimmt mit dem Melder)
Erwartungen an Melder¶
- Keine öffentliche Veröffentlichung vor einem koordinierten Fix
- Kein Zugriff auf fremde Nutzerdaten
- Kein Auslösen von Systemausfällen
Security Best Practices for Contributors¶
If you're contributing to this project:
- ✅ Never commit credentials, API keys, or secrets
- ✅ Run
npm auditbefore submitting Cloud Functions changes - ✅ Run
flutter pub outdatedfor Flutter changes - ✅ Follow OWASP security guidelines
- ✅ Use the latest secure versions of dependencies
- ✅ Write security-conscious code (input validation, sanitization)
Security-Related Dependencies¶
Critical Security Dependencies¶
| Package | Purpose | Auto-Update |
|---|---|---|
firebase-admin |
Authentication & Database | Major updates manual |
firebase-functions |
Cloud Functions runtime | Major updates manual |
axios |
HTTP client | ✅ Automated |
qs |
Query string parser | ✅ Automated |
Known Limitations¶
See DEPENDENCY_SCANNING_KONZEPT.md for: - Currently unresolved vulnerabilities - Mitigation strategies - Planned fixes
Compliance¶
This project aims to be compliant with:
- OWASP Top 10 (2021): See SECURITY_AUDIT_REPORT.md
- GDPR: General Data Protection Regulation
- Firebase Security Best Practices
Contact¶
For security-related questions or concerns:
- General Security: security@easysale.de
- Project Lead: Stefan Hafner
Last Updated: February 24, 2026
Next Review: March 2026