We are committed to the security of the Metascience Platform. Currently, we support the latest stable version of the platform.
| Version | Supported |
|---|---|
| v1.x.x | ✅ |
| < v1.x | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
If you discover a potential security vulnerability, please report it immediately to the maintainers at gabreiele.battimelli@kernel-science.com.
Please include the following information in your report:
- Type of issue (e.g., SQL injection, XSS, etc.)
- Location of the vulnerability (file, endpoint, etc.)
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any proof-of-concept code (if available)
We aim to respond to all security reports within 48-72 hours. We will work with you to understand the issue and provide a timeline for a fix.
When using Metascience Platform:
- Never commit API keys - Always use environment variables.
- Keep dependencies updated - Run security audits regularly (
pnpm audit,pip list --outdated). - Use HTTPS in production - Deploy behind a reverse proxy with SSL/TLS.
- Enable authentication - Don't expose endpoints publicly without auth.
- Validate inputs - Never trust user input on the frontend or backend.
- Use Supabase RLS - Enable Row Level Security on all database tables.
- In-Memory Storage: Current backend implementation doesn't persist data. For production, migrate to Supabase.
- External API Keys: Protect your Anthropic and Google API keys - they have usage costs.
- Rate Limiting: Consider implementing rate limiting to prevent abuse of external APIs (Semantic Scholar, OpenAlex).
We follow responsible disclosure practices:
- We will acknowledge receipt of your report.
- We will investigate the issue and communicate our findings.
- We will fix the issue privately before public disclosure.
- We will announce the fix and provide credit to the researcher (if desired).
Thank you for helping us keep the Metascience Platform secure!