Security

Last updated: April 2, 2026

Our security practices

• OAuth-only authentication — we never store passwords
• All data encrypted in transit (TLS 1.3) and at rest
• Row Level Security enforced on all private database tables
• Regular dependency auditing via npm audit and pip-audit
• Content Security Policy headers on all pages
• Rate limiting on all API endpoints and mutations
• httpOnly, Secure, SameSite=Lax cookies for authentication sessions
• CSRF protection via origin validation on all mutations

For our complete security architecture, see the security documentation in our open-source repository.

Responsible disclosure

If you discover a security vulnerability in hypedar, please report it responsibly:

1. Email security@hypedar.dev with details of the vulnerability
2. Do NOT open public GitHub issues for security vulnerabilities
3. Include steps to reproduce if possible

Our response commitment

• 48 hours — we acknowledge receipt of your report
• 7 days — we provide an initial assessment
• We work with you on a fix timeline
• We credit you in our security acknowledgments (unless you prefer to remain anonymous)
• We ask that you give us reasonable time to fix the issue before any public disclosure

What qualifies as a vulnerability

• Authentication or authorization bypasses
• Data exposure or unauthorized access to user data
• Cross-site scripting (XSS)
• SQL injection
• Server-side request forgery (SSRF)
• Remote code execution

What does NOT qualify

• Denial of service (DoS/DDoS) attacks
• Social engineering or phishing attempts
• Issues in third-party services we use (report to them directly)
• Missing best practices without demonstrated security impact
• Reports from automated scanners without verified exploitability

Recognition

We don't currently offer monetary bounties. We do offer:

• Public credit in our security acknowledgments
• A free hypedar Pro account
• Our genuine gratitude

Contact

Security reports: security@hypedar.dev

General questions: hello@hypedar.dev