If you discover a security vulnerability in CableOps, please report it responsibly.

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Email your report to the project maintainers with the subject line: [SECURITY] CableOps vulnerability report
3. Include:
   • A description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment within 48 hours of your report
• Assessment within 7 days — we will evaluate severity and impact
• Fix timeline communicated after assessment
• Credit given to reporters in the release notes (unless you prefer anonymity)

CableOps uses better-auth for authentication with secure session management. Sessions are stored server-side in PostgreSQL.

• All database queries use parameterized statements via Drizzle ORM (no raw SQL injection risk)
• Database credentials should be stored in environment variables, never in source code

The following secrets must be kept confidential:

• Use HTTPS in production
• Set strong, unique values for BETTER_AUTH_SECRET
• Restrict database access to the application server only
• Keep dependencies updated — run pnpm audit regularly
• Use environment-specific configurations (never share .env files)

We monitor dependencies for known vulnerabilities. Run pnpm audit to check for issues locally.