Security Policy
How PiggyBack protects your data, and how to report vulnerabilities responsibly.
Supported Versions
| Version | Supported |
|---|---|
| 0.9.x | Yes |
| < 0.9 | No |
Reporting a Vulnerability
Instead, report vulnerabilities via one of these methods:
GitHub Private Vulnerability Reporting
Use the Security Advisories tab to privately report the issue.
Contact the maintainer directly (see GitHub profile).
What to Include
- •Description of the vulnerability
- •Steps to reproduce
- •Potential impact
- •Suggested fix (if any)
Response Timeline
You will be credited in the release notes (unless you prefer otherwise).
Security Measures
AES-256-GCM Encryption
Up Bank API tokens are encrypted at rest in the database using AES-256-GCM.
Row Level Security
All user-facing Supabase tables are protected with RLS policies, ensuring users can only access their own data.
HMAC-SHA256 Verification
Up Bank webhook payloads are verified with timing-safe comparison to prevent tampering.
Server-Side Secrets
Encryption keys and API credentials are never exposed to client-side code.
Supabase Auth SSR
Cookie-based sessions with secure defaults, managed via Supabase Auth with SSR.
Responsible Disclosure
We follow responsible disclosure practices. We ask that you:
- •Allow reasonable time for us to address the issue before public disclosure
- •Avoid accessing or modifying other users' data
- •Act in good faith to avoid degradation of the service