We release patches for security vulnerabilities in the following versions:

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them privately via email to security@loopty.dev.

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Please include the following information in your report:

• Type of vulnerability (e.g., SQL injection, XSS, authentication bypass)
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• JWT-based authentication with secure token handling
• Role-based access control (RBAC) with org-level isolation
• API key authentication for programmatic access
• Session management with secure cookie settings

• All secrets encrypted at rest using AES-256-GCM
• Unique initialization vectors (IV) per encryption
• Database credentials stored securely
• Secrets never exposed in API responses or logs

• JavaScript nodes run in isolated-vm with strict limits:
  • Memory limits enforced
  • Execution time limits
  • No filesystem access
  • No network access from sandbox
• Python/heavy nodes run in ephemeral Docker containers:
  • Resource limits (CPU, memory)
  • Network restrictions
  • Read-only filesystem where possible
  • No privileged access

• HTTPS required in production
• CORS configured per deployment
• Rate limiting on all endpoints
• Egress allowlist for HTTP nodes

• Containers run as non-root users
• Minimal base images (Alpine/Distroless where possible)
• Regular dependency updates
• Security scanning in CI pipeline

When we receive a security bug report, we will:

1. Confirm the problem and determine affected versions
2. Audit code to find any similar problems
3. Prepare fixes for all supported versions
4. Release new versions and publish advisory

• Always use HTTPS in production
• Set strong, unique values for all secrets
• Use secrets management (e.g., Vault, AWS Secrets Manager)
• Regularly rotate credentials and API keys
• Enable audit logging

• Restrict CORS origins to trusted domains
• Configure appropriate rate limits
• Set reasonable execution timeouts
• Review and restrict egress allowlist

• Monitor for unusual activity patterns
• Set up alerts for authentication failures
• Review audit logs regularly
• Keep dependencies updated

Key environment variables for security:

# Required - generate strong random values
JWT_SECRET=<32+ character random string>
ENCRYPTION_KEY=<32 byte hex string for AES-256>

# Recommended settings
NODE_ENV=production
CORS_ORIGINS=https://yourdomain.com
RATE_LIMIT_MAX=100
RATE_LIMIT_WINDOW_MS=60000

# Sandbox limits
SANDBOX_TIMEOUT_MS=30000
SANDBOX_MEMORY_MB=128

We do not currently have a bug bounty program, but we deeply appreciate security researchers who take the time to report vulnerabilities responsibly.

We will publicly acknowledge researchers who report valid vulnerabilities (unless they prefer to remain anonymous).

• Security issues: security@loopty.dev
• General questions: hello@loopty.dev

Thank you for helping keep Loopty and its users safe!