# Security Policy

## Reporting a Vulnerability

If you discover a security vulnerability in CapaKraken, please report it responsibly.

**Do not** open a public GitHub issue for security vulnerabilities.

Instead, please email the maintainer directly with:

1. A description of the vulnerability
2. Steps to reproduce
3. Potential impact assessment

We will acknowledge receipt within 48 hours and provide a timeline for resolution.

## Supported Versions

Only the latest version on the `main` branch receives security updates.

## Security Practices

- Dependencies are audited nightly via `pnpm audit` and on every CI run
- Authentication uses Argon2-based password hashing via Auth.js v5
- Rate limiting is enforced on all API endpoints with Redis-backed counters
- All database mutations use parameterized queries via Prisma (no raw SQL)
- Session tokens are rotated on password change