Security
Last updated: April 2, 2026
Our security practices
- OAuth-only authentication — we never store passwords
- All data encrypted in transit (TLS 1.3) and at rest
- Row Level Security enforced on all private database tables
- Regular dependency auditing via
npm auditandpip-audit - Content Security Policy headers on all pages
- Rate limiting on all API endpoints and mutations
- httpOnly, Secure, SameSite=Lax cookies for authentication sessions
- CSRF protection via origin validation on all mutations
For our complete security architecture, see the security documentation in our open-source repository.
Responsible disclosure
If you discover a security vulnerability in hypedar, please report it responsibly:
- Email security@hypedar.dev with details of the vulnerability
- Do NOT open public GitHub issues for security vulnerabilities
- Include steps to reproduce if possible
Our response commitment
- 48 hours — we acknowledge receipt of your report
- 7 days — we provide an initial assessment
- We work with you on a fix timeline
- We credit you in our security acknowledgments (unless you prefer to remain anonymous)
- We ask that you give us reasonable time to fix the issue before any public disclosure
What qualifies as a vulnerability
- Authentication or authorization bypasses
- Data exposure or unauthorized access to user data
- Cross-site scripting (XSS)
- SQL injection
- Server-side request forgery (SSRF)
- Remote code execution
What does NOT qualify
- Denial of service (DoS/DDoS) attacks
- Social engineering or phishing attempts
- Issues in third-party services we use (report to them directly)
- Missing best practices without demonstrated security impact
- Reports from automated scanners without verified exploitability
Recognition
We don't currently offer monetary bounties. We do offer:
- Public credit in our security acknowledgments
- A free hypedar Pro account
- Our genuine gratitude
Contact
Security reports: security@hypedar.dev
General questions: hello@hypedar.dev