The Privy team takes security seriously. If you discover a security vulnerability, please follow responsible disclosure practices.
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please:
- Email security details to the maintainers (privately)
- Include detailed steps to reproduce the vulnerability
- Provide the impact assessment
- Allow time for the issue to be addressed before public disclosure
- Authentication bypasses
- Authorization flaws
- Injection vulnerabilities (SQL, NoSQL, Command)
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Server-side request forgery (SSRF)
- Information disclosure
- Remote code execution
- Denial of service (DoS)
- API key/credential exposure
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity (critical issues prioritized)
When using Privy in production:
- Use strong, unique passwords for PostgreSQL and Redis
- Enable SSL/TLS for database connections
- Use environment variables for all secrets
- Never commit
.envfiles to version control - Regularly rotate API keys and passwords
- Use HTTPS in production
- Implement rate limiting (built-in)
- Monitor API usage patterns
- Validate all input data
- Use proper CORS settings
- Keep PostgreSQL and Redis updated
- Use firewall rules to restrict access
- Monitor system logs
- Use intrusion detection systems
- Regular security audits
- Keep Python dependencies updated
- Use security scanning tools
- Implement proper logging (without secrets)
- Use secure session management
- Validate JWT tokens properly
We recommend regular security scanning:
# Dependency vulnerability scanning
pip install safety
safety check
# Code security analysis
pip install bandit
bandit -r app/
# Static analysis
pip install semgrep
semgrep --config=auto app/| Version | Supported |
|---|---|
| 1.0.x | β Yes |
| < 1.0 | β No |
We acknowledge security researchers who responsibly disclose vulnerabilities:
No vulnerabilities reported yet.
Thank you for helping keep Privy secure! π