Supported Versions
Only the latest deployed version of Chitragupta receives security updates.
Reporting a Vulnerability
If you discover a security vulnerability, please report it privately by emailing the team directly (do not file public GitHub issues).
What to include:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
Response timeline:
24 hours:Acknowledgment of receipt
7 days:Initial assessment and remediation plan
30 days:Fix deployed or rationale for extended timeline
Bug Bounty
We do not currently offer a bug bounty program.
Backup & Recovery
Automated Backups (Supabase)
- Supabase Pro plan includes daily automated backups with 7-day retention
- Point-in-Time Recovery (PITR) available on Pro plan (30-day window)
- Verify backups: Supabase Dashboard → Database → Backups
Restore Procedure
- Go to Supabase Dashboard → Database → Backups
- Select backup → "Restore"
- Choose target: new project (recommended) or same project
- Wait for restoration (5-30 min depending on size)
- Verify integrity after restoration
- Update connection secrets if restoring to new project
RTO / RPO Targets
| Metric | Target |
|---|
| RTO (Recovery Time) | < 1 hour (PITR) | < 4 hours (manual) |
| RPO (Recovery Point) | < 24 hours (daily) | < 1 hour (PITR) |
Incident Response
1. Credential Leak
If API keys, service role key, or secrets are exposed:
- Rotate compromised key immediately in provider dashboard
- Update configuration files and secrets store
- Revoke old key
- Check audit logs for unauthorized access
- Notify affected users if data may have been exposed
2. Database Corruption / Data Loss
- Stop writes: Temporarily disable write operations
- Restore from backup
- Verify integrity with database statistics
- Notify users of service disruption
3. DDoS / Brute Force Attack
- Rate limiting active via KV namespace
- Cloudflare protections: Under Attack mode, WAF rules, geo-blocking
- Review logs in Cloudflare analytics
Security Checklist
✓ HTTPS enforced — Cloudflare + HSTS
✓ Security headers — CSP, X-Frame-Options, X-Content-Type-Options
✓ RLS policies — All tables have RLS enabled
✓ Rate limiting — Login and mutation throttling
✓ Input validation — Server-side + DB constraints
✓ Error sanitization — Schema details stripped from errors
◯ Backup test — Verify quarterly
◯ Dependency audit — Pre-deploy audit
Key Contacts & Escalation
| Role | Responsible |
|---|
| Security Lead | DevOps Lead |
| Database Admin | Backend Dev |
| Incident Response | On-call rotation |
For security issues: email the team directly — do not file public GitHub issues.