WinStudentGoalTracker/SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security issue, please report it privately.

Email: rrosado6@gatech.edu Subject: SECURITY:

Include:

• Description of the issue and impact
• Steps to reproduce (POC if available)
• Affected components
• Screenshots or logs (if helpful)

Do not open public issues for security vulnerabilities.

Response Timeline

• Acknowledgement within 2 business days
• Triage and severity assessment within 5 business days
• Fix or mitigation as soon as practical based on severity

Responsible Disclosure

We support responsible security research conducted in good faith.
Please avoid service disruption, data exfiltration beyond proof-of-concept, or privacy violations.

Public disclosure should occur only after a fix or mitigation is available.

Security Expectations

• Enforce server-side authorization (RBAC)
• Protect sensitive data in transit (TLS)
• Log and audit critical actions
• Review code before merging