The ClaudePro Directory team takes security seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via one of the following methods:
- Go to our Security Advisories page
- Click "Report a vulnerability"
- Fill out the form with details about the vulnerability
Send an email to [email protected] with:
- Type of issue (XSS, CSRF, SQL Injection, etc.)
- Full paths of source file(s) related to the issue
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue and how an attacker might exploit it
- Initial Response: Within 48 hours
- Assessment: Within 7 days
- Resolution Timeline: Depends on severity (see below)
| Severity | Description | Resolution Target |
|---|---|---|
| Critical | Data exposure, authentication bypass, RCE | 24-48 hours |
| High | Privilege escalation, significant data leak | 3-5 days |
| Medium | Limited data exposure, XSS, CSRF | 7-14 days |
| Low | Minor issues with minimal impact | 30 days |
We support security updates for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | โ |
| 0.x.x | โ |
- GitHub Code Scanning: Automated vulnerability detection on every push to
mainanddev - CodeQL Analysis: Deep semantic code analysis for security issues
- Dependabot: Automated dependency vulnerability alerts and updates
- Secret Scanning: Prevents accidental credential commits
- npm audit: Regular security audits of dependencies
- Code review for all Pull Requests
- Input validation and sanitization
- Content Security Policy (CSP) headers
- Regular security updates
- TypeScript strict mode for type safety
- User passwords (OAuth only when implemented)
- Payment information
- Personal identification information (PII)
- API keys or secrets in code
- Sensitive configuration data
When we receive a security report, we will:
- Confirm the issue and determine affected versions
- Audit code to find similar problems
- Prepare fixes for all supported versions
- Release patches as soon as possible
- Credit the reporter (unless they prefer to remain anonymous)
We maintain a Hall of Fame for security researchers who have responsibly disclosed vulnerabilities.
The following are not considered security vulnerabilities:
- Denial of Service (DoS) attacks
- Social engineering
- Physical attacks
- Attacks requiring physical access to a user's device
- UI/UX issues that don't demonstrate a security impact
- Missing best practices without demonstrable security impact
- Issues in dependencies without a demonstrated exploit path
If you have suggestions on how this policy could be improved, please submit a Pull Request or open an issue.
Last Updated: September 2025
Contact: [email protected]