Security Policy
ORAN handles authentication, location data, and health-adjacent service queries. We take security seriously and welcome responsible disclosure from the research community.
Reporting a vulnerability
If you discover a security vulnerability, please report it privately. Do not open a public GitHub issue for security-sensitive findings.
Scope
In scope
- ORAN web application (openresourceaccessnetwork.com)
- All public API endpoints (/api/**)
- Authentication and session management
- Data submission and search pipeline
Out of scope
- Third-party services (Clerk, Supabase, Vercel, Sentry, OpenStreetMap)
- Denial-of-service attacks
- Social engineering or phishing attempts against ORAN staff
- Physical security
Our commitments
48hAcknowledge all vulnerability reports within 48 hours.
14dRemediate critical vulnerabilities within 14 days of confirmation.
βNo legal action against researchers acting in good faith, following this policy, and not accessing or exfiltrating user data beyond what is necessary to demonstrate the vulnerability.
βCredit in release notes for responsibly disclosed, confirmed vulnerabilities (unless the researcher prefers anonymity).
βΉORAN does not currently operate a paid bug bounty program. All qualifying reporters receive public attribution (with consent) and our formal thanks.
Security practices
| Area | Detail |
|---|---|
| Authentication | Clerk manages identity and sessions. ORAN-owned roles are resolved from the database, protected routes are gated server-side, and production fails closed when auth is unavailable. |
| Authorization | Role-based access control (RBAC) enforced at both middleware and API handler level. Principle of least privilege. |
| Input validation | High-risk API inputs use bounded schemas or explicit parsers. User values are parameterized in SQL; dynamic query fragments come from application-controlled allowlists. |
| Encryption in transit | The Vercel application is configured for HTTPS. Public-domain TLS is a required cutover check before general traffic. |
| Encryption at rest | Application data is encrypted at rest in the dedicated ORAN Supabase project. |
| PII in telemetry | Operational telemetry is minimized and must not include precise location, intake answers, or message content. Sentry payload controls are part of release review. |
| Content Security Policy | CSP header applied sitewide. No CORS wildcard. Same-origin policy default. |
| Rate limiting | Chat quotas use database-enforced daily and burst limits with fail-closed behavior. Other sensitive routes apply bounded request limits and return Retry-After where supported. |
| Dependency management | Dependabot security alerts enabled. npm audit runs in CI on every pull request. High-severity CVEs block merging. |
Full technical control details in docs/SECURITY_PRIVACY.md. See also our Privacy Policy for telemetry and data collection details.
Past disclosures
No disclosures on record.
Machine-readable disclosure file
SECURITY.md in the repository root for automated tooling.
A security.txt file at /.well-known/security.txt is planned for a future release.