Skip to content

Security: JBWolfFlow/DCOP

Security

SECURITY.md

Security Policy

Reporting Security Vulnerabilities

We take the security of DCOP Mobile seriously. If you discover a security vulnerability, please help us protect our users by following responsible disclosure practices.

How to Report

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security issues via:

  • GitHub Security Advisories: Use the "Report a vulnerability" button on our repository's Security tab
  • This ensures responsible disclosure and encrypted communication

What to Include

Please include the following information in your report:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact
  • Suggested fix (if any)
  • Your contact information

Response Timeline

  • Initial Response: Within 48 hours
  • Status Update: Within 7 days
  • Fix Timeline: Varies by severity (Critical: 7-14 days, High: 14-30 days, Medium: 30-60 days)

Security Acknowledgments

We maintain a security hall of fame to recognize security researchers who have helped us improve our security posture. With your permission, we'll acknowledge your contribution after the vulnerability is fixed.

Security Best Practices

For Developers

1. Secrets Management

NEVER commit secrets to git:

# Install pre-commit hooks to prevent accidental commits
pip install pre-commit
pre-commit install

# Generate secure secrets
openssl rand -base64 32  # For JWT_SECRET
uuidgen                  # For API keys

Required Environment Variables (Production):

  • JWT_SECRET - Generate with openssl rand -base64 32 (min 32 chars)
  • ADMIN_API_KEY - Generate with openssl rand -base64 32 (min 20 chars)
  • SAM_API_KEY - Obtain from https://sam.gov
  • DATABASE_URL - Must be PostgreSQL (not SQLite)
  • CORS_ALLOWED_ORIGINS - Production domains only (no localhost)

2. Certificate Pinning

Before deploying to production, update certificate pins:

Mobile (Flutter):

# Get certificate pin for your API server
echo | openssl s_client -servername your-api-domain.com \
  -connect your-api-domain.com:443 2>/dev/null | \
  openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | \
  openssl dgst -sha256 -binary | base64

Update in:

  • lib/core/security/certificate_pinning.dart (lines 30-35)
  • android/app/src/main/res/xml/network_security_config.xml (lines 38-41)

Validation: The app will FAIL to connect if placeholder pins are used in production.

3. Database Security

Production Requirements:

  • ✅ Use PostgreSQL with TLS encryption
  • ✅ Never use SQLite in production
  • ✅ Enable connection pooling
  • ✅ Use environment variables for credentials (not hardcoded)

Startup Validation: The app performs automatic security checks on startup:

  • Validates JWT_SECRET is set and ≥ 32 characters
  • Validates ADMIN_API_KEY is set and ≥ 20 characters
  • Rejects SQLite in production environment
  • Rejects localhost CORS origins in production

4. Authentication & Authorization

Password Requirements:

  • Minimum 8 characters
  • Must contain: uppercase, lowercase, digit, special character
  • Passwords hashed with bcrypt (cost factor 12)

JWT Tokens:

  • Access token expiration: 60 minutes (configurable)
  • Refresh tokens for session extension
  • Tokens invalidated on logout

Admin Endpoints:

  • Protected by ADMIN_API_KEY in production
  • No development mode bypass allowed
  • Returns 401 if key is missing or invalid

5. API Security

Rate Limiting:

  • 20-30 requests/minute per IP
  • Per-endpoint rate limiting configured
  • Returns 429 Too Many Requests when exceeded

Security Headers:

  • Strict-Transport-Security (HSTS)
  • Content-Security-Policy (CSP)
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • X-XSS-Protection: 1; mode=block

Input Validation:

  • All API inputs validated with Pydantic models
  • SQL injection prevention via parameterized queries (SQLAlchemy ORM)
  • Path traversal protection in middleware
  • Request size limits enforced

6. Mobile App Security

Data Storage:

  • Sensitive data encrypted with AES-256-GCM
  • Platform-secure storage:
    • iOS: Keychain with first_unlock accessibility
    • Android: EncryptedSharedPreferences
  • Biometric authentication with rate limiting (3 attempts, 5-min lockout)

Network Security:

  • Certificate pinning enforced (production)
  • HTTPS-only communication
  • WebView URL whitelist validation
  • No JavaScript injection

Logging:

  • Sensitive data never logged
  • Debug logs only in debug builds
  • Print statements stripped in release builds

Security Architecture

Defense in Depth

  1. Network Layer

    • Certificate pinning (TLS)
    • HTTPS enforcement
    • CORS restrictions

  2. Application Layer

    • Input validation
    • Authentication & authorization
    • Rate limiting
    • Security headers

  3. Data Layer

    • Encryption at rest
    • Parameterized queries
    • Secure credential storage

  4. Infrastructure Layer

    • Non-root Docker container
    • Pinned base images
    • Security scanning in CI/CD

Known Security Controls

Control Status Implementation
SQL Injection Prevention ✅ Implemented SQLAlchemy ORM with parameterized queries
XSS Protection ✅ Implemented JSON-only API, CSP headers
CSRF Protection ✅ Implemented Stateless JWT auth (no cookies)
Authentication ✅ Implemented bcrypt + JWT
Authorization ✅ Implemented Role-based access control
Rate Limiting ✅ Implemented Per-IP, per-endpoint
Certificate Pinning ⚠️ Configured Requires production pins
Secrets Management ⚠️ Partial Environment variables (needs rotation)
Audit Logging ⚠️ Partial Security events logged (needs expansion)

Compliance

Standards Followed

  • OWASP Top 10 (2021): All critical vulnerabilities addressed
  • NIST Cybersecurity Framework: Identify, Protect, Detect implemented
  • CWE Top 25: Most dangerous weaknesses mitigated

Data Protection

  • Passwords: bcrypt hashed, never stored in plaintext
  • Tokens: JWT with expiration, stored encrypted
  • API Keys: Loaded from environment, never committed to code
  • User PII: Email addresses, minimal collection

Security Testing

Automated Testing

Pre-commit Hooks:

# Install and enable
pip install pre-commit
pre-commit install

# Run manually
pre-commit run --all-files

CI/CD Security Scans:

  • Secrets detection (detect-secrets)
  • Dependency vulnerabilities (safety, dependabot)
  • Static analysis (bandit for Python, dart analyze for Flutter)

Manual Testing Checklist

Before Production Deployment:

  • All environment variables set in production
  • Certificate pins updated (not placeholders)
  • Database is PostgreSQL (not SQLite)
  • CORS configured for production domains only
  • Admin API key configured
  • SAM.gov API key configured
  • No .env files committed
  • No database files committed
  • Pre-commit hooks installed
  • Security headers verified
  • Rate limiting tested
  • Authentication flows tested

Quarterly Security Tasks:

  • Rotate JWT secret
  • Rotate admin API key
  • Update dependencies (security patches)
  • Review audit logs
  • Penetration testing
  • Security training

Incident Response

Security Incident Classification

Critical (P0)

  • Active exploit in production
  • Credentials compromised
  • Data breach

High (P1)

  • Vulnerability with public exploit
  • Authentication bypass
  • Privilege escalation

Medium (P2)

  • Vulnerability requiring user interaction
  • Information disclosure
  • DoS vulnerability

Low (P3)

  • Minor information leak
  • Configuration issue
  • Non-exploitable vulnerability

Incident Response Procedure

  1. Detect: Monitoring alerts or security report received
  2. Assess: Determine severity and impact
  3. Contain: Isolate affected systems, rotate credentials
  4. Investigate: Analyze logs, determine root cause
  5. Remediate: Apply fix, verify resolution
  6. Communicate: Notify affected parties (if applicable)
  7. Document: Create incident report, update security controls

Version History

Version Date Changes
1.0.0 2026-01-22 Initial security policy

References

There aren’t any published security advisories