# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 1.x.x   | :white_check_mark: |

## Reporting a Vulnerability

If you discover a security vulnerability in this project, please report it responsibly:

1. **Do not** open a public issue
2. Email the security team at: security@wizamart.com
3. Include:
   - Description of the vulnerability
   - Steps to reproduce
   - Potential impact
   - Suggested fix (if any)

## Response Timeline

- **Acknowledgment**: Within 48 hours
- **Initial Assessment**: Within 5 business days
- **Resolution Target**: Within 30 days for critical issues

## Security Measures

This application implements the following security measures:

### Authentication & Authorization
- JWT-based authentication with token expiration
- Role-based access control (RBAC)
- Store isolation (multi-tenant security)
- Session management with secure cookies

### Data Protection
- Password hashing using bcrypt
- API key encryption at rest
- HTTPS enforcement in production
- Input validation and sanitization

### API Security
- Rate limiting on authentication endpoints
- CORS configuration
- Request logging and audit trails
- SQL injection prevention via ORM

### Infrastructure
- Environment-based configuration
- Secrets management (no hardcoded credentials)
- Database connection pooling
- Error handling without information leakage

## Security Updates

Security updates are released as patch versions and announced through:
- Release notes
- Security advisories (for critical issues)

## Compliance

This application is designed with consideration for:
- GDPR (data protection)
- PCI-DSS awareness (payment handling delegated to processors)
- OWASP Top 10 mitigation