We actively support the latest version of JDex. Security updates are provided for the current release.

We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:

1. Do not open a public GitHub issue
2. Email security concerns to: [email protected]
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

We will respond within 48 hours and work with you to address the issue.

• Keep JDex updated to the latest version
• Use strong system-level encryption for your device
• Be cautious when sharing database export files
• Review exported data before sharing
• Backup your JDex database regularly

See SECURITY-REVIEW.md for our security review checklist.

• Always validate and sanitize user inputs
• Use centralized validation functions
• Sanitize values before storing in database
• Validate JD numbers match expected patterns

• Never expose sensitive information in error messages
• Use structured logging instead of console.* in production
• Hide stack traces in production builds
• Provide user-friendly error messages

• Always use parameterized queries
• Never concatenate user input into SQL strings
• Use the centralized database functions in db.js

• Keep dependencies up to date
• Review security advisories regularly
• Use npm audit before releases

• Input Sanitization: Text inputs are sanitized to remove HTML and control characters
• SQL Injection Protection: Queries use parameterized statements
• XSS Prevention: React's default escaping prevents XSS attacks
• Error Sanitization: Production error messages are generic
• Dependency Scanning: Automated vulnerability scanning in CI/CD
• Secrets Scanning: Gitleaks prevents accidental credential commits

JDex is a local-first desktop application. Primary threats include:

• Local data tampering: Mitigated by browser localStorage isolation
• Memory inspection: Data is not persisted in memory beyond session
• Malicious file imports: Database imports are validated

• Input validation at all entry points
• Parameterized database queries
• Secure error handling

JDex handles potentially sensitive organizational data:

• Use the "Sensitive" flag for entries containing PII
• Store sensitive items in encrypted cloud storage (ProtonDrive)
• Review exports before sharing
• Regularly backup and verify database integrity

Security updates are released as needed. We recommend:

• Checking for updates regularly
• Reviewing release notes for security fixes
• Reporting any security concerns promptly

• Vulnerabilities are disclosed after a fix is available
• We credit security researchers who responsibly disclose issues
• Critical vulnerabilities may be disclosed immediately if already exploited

For security concerns: [email protected]

For general questions: Open an issue on GitHub