Skip to main content

Security Policy

ORAN handles authentication, location data, and health-adjacent service queries. We take security seriously and welcome responsible disclosure from the research community.

Reporting a vulnerability

If you discover a security vulnerability, please report it privately. Do not open a public GitHub issue for security-sensitive findings.

Scope

In scope

  • ORAN web application (openresourceaccessnetwork.com)
  • All public API endpoints (/api/**)
  • Authentication and session management
  • Data submission and search pipeline

Out of scope

  • Third-party services (Clerk, Supabase, Vercel, Sentry, OpenStreetMap)
  • Denial-of-service attacks
  • Social engineering or phishing attempts against ORAN staff
  • Physical security

Our commitments

48hAcknowledge all vulnerability reports within 48 hours.
14dRemediate critical vulnerabilities within 14 days of confirmation.
βœ“No legal action against researchers acting in good faith, following this policy, and not accessing or exfiltrating user data beyond what is necessary to demonstrate the vulnerability.
βœ“Credit in release notes for responsibly disclosed, confirmed vulnerabilities (unless the researcher prefers anonymity).
β„ΉORAN does not currently operate a paid bug bounty program. All qualifying reporters receive public attribution (with consent) and our formal thanks.

Security practices

AreaDetail
AuthenticationClerk manages identity and sessions. ORAN-owned roles are resolved from the database, protected routes are gated server-side, and production fails closed when auth is unavailable.
AuthorizationRole-based access control (RBAC) enforced at both middleware and API handler level. Principle of least privilege.
Input validationHigh-risk API inputs use bounded schemas or explicit parsers. User values are parameterized in SQL; dynamic query fragments come from application-controlled allowlists.
Encryption in transitThe Vercel application is configured for HTTPS. Public-domain TLS is a required cutover check before general traffic.
Encryption at restApplication data is encrypted at rest in the dedicated ORAN Supabase project.
PII in telemetryOperational telemetry is minimized and must not include precise location, intake answers, or message content. Sentry payload controls are part of release review.
Content Security PolicyCSP header applied sitewide. No CORS wildcard. Same-origin policy default.
Rate limitingChat quotas use database-enforced daily and burst limits with fail-closed behavior. Other sensitive routes apply bounded request limits and return Retry-After where supported.
Dependency managementDependabot security alerts enabled. npm audit runs in CI on every pull request. High-severity CVEs block merging.

Full technical control details in docs/SECURITY_PRIVACY.md. See also our Privacy Policy for telemetry and data collection details.

Past disclosures

No disclosures on record.

Machine-readable disclosure file

SECURITY.md in the repository root for automated tooling.

View SECURITY.md β†’

A security.txt file at /.well-known/security.txt is planned for a future release.