ProStaff API takes security seriously. We appreciate your efforts to responsibly disclose your findings.

DO NOT create public GitHub issues for security vulnerabilities.

Instead, please report security vulnerabilities by emailing:

security@prostaff.gg

Please include the following information in your report:

• Type of vulnerability (e.g., SQL injection, XSS, SSRF, authentication bypass)
• Full path of the affected source file(s)
• Location of the affected code (file path, line number, commit hash)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the vulnerability
• Suggested fix (if you have one)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution Target: Depends on severity (see below)

ProStaff API implements multiple layers of security:

• ✅ JWT-based authentication with refresh tokens
• ✅ Token blacklisting on logout
• ✅ Multi-tenant data isolation via organization_scoped
• ✅ Role-based access control (Pundit)
• ✅ Fail-safe fallbacks (where('1=0') when org_id is nil)

• ✅ Rate limiting (Rack::Attack)
  • Global: 300 req/5min
  • Login: 5 req/20sec
  • Registration: 3 req/hour
  • Password reset: 5 req/hour
• ✅ CORS configuration with explicit origin whitelist
• ✅ SSRF protection with domain whitelist + private IP blocking
• ✅ SQL injection protection (parameterized queries)
• ✅ XSS protection (Rails default escaping)

• ✅ HTTPS-only in production (Traefik + Let's Encrypt)
• ✅ Security headers (X-Frame-Options, X-Content-Type-Options, etc.)
• ✅ Database connection timeout (5s)
• ✅ Statement timeout (10s to prevent long-running queries)
• ✅ Prepared statements disabled (Supabase compatibility)

• ✅ No hardcoded credentials
• ✅ Environment variables for all secrets
• ✅ .env files properly gitignored
• ✅ Test credentials marked with # brakeman:ignore
• ✅ JWT_SECRET_KEY rotation supported

• ✅ 401 rate spike detection (alerts when >5% of requests fail auth)
• ✅ Structured logging (Lograge JSON format)
• ✅ Audit logs for sensitive operations
• ✅ Sidekiq job monitoring with stale job detection

Every push triggers:

# Static Analysis (SAST)
- Brakeman         # Rails security scanner
- Bundle Audit     # Dependency vulnerabilities
- Semgrep          # Code analysis
- TruffleHog       # Secrets detection

# Dynamic Analysis (DAST)
- SSRF Protection  # 9 tests
- Authentication   # 5 tests
- SQL Injection    # 4 tests
- Secrets Scan     # 5 checks

Security team regularly performs:

• Manual code review
• Penetration testing
• Third-party security audits

Last Audit: 2026-03-04 Overall Grade: A (26/27 tests passed - 96%) Status: Production-ready

See .pentest/SECURITY-TEST-RESULTS.md for detailed results.

ProStaff API follows industry best practices:

• ✅ OWASP Top 10 2025 - All 10 categories covered
• ✅ CWE Top 25 - Common weakness patterns mitigated
• ✅ SANS Top 25 - Dangerous software errors prevented

Before committing code:

# Run security scan
./security_tests/scripts/brakeman-scan.sh

# Check for secrets
./.pentest/test-secrets-quick.sh

# Verify SSRF protection
./.pentest/test-ssrf-quick.sh

Required environment variables:

# Strong JWT secret (min 64 characters)
JWT_SECRET_KEY=$(openssl rand -base64 64)

# Unique HashID salt (never reuse across environments)
HASHID_SALT=$(openssl rand -base64 32)

# CORS origins (explicit list, no wildcards)
CORS_ORIGINS=https://prostaff.gg,https://app.prostaff.gg

Database configuration:

# config/database.yml (production)
production:
  connect_timeout: 5
  checkout_timeout: 5
  variables:
    statement_timeout: 10000  # 10 seconds

1. Never commit secrets - Use environment variables
2. Always scope queries - Use organization_scoped(Model)
3. Validate user input - Use strong parameters
4. Parameterize SQL - Never use string interpolation
5. Test authentication - Ensure endpoints require auth
6. Use HTTPS - Never send credentials over HTTP
7. Rate limit - Add throttling for expensive operations

Check for:

• All queries use organization_scoped() or explicit organization_id filter
• No SQL queries with string interpolation
• Controllers use authenticate_request!
• Strong parameters whitelist (no permit!)
• No secrets in code (use ENV vars)
• URLs with user input use whitelist + validation
• Brakeman reports no HIGH or CRITICAL issues

• Critical vulnerabilities: Patched within 24-48 hours
• Dependency updates: Monthly review cycle
• Security advisories: Monitored via Dependabot

Security advisories are posted to:

• GitHub Security Advisories
• Email: security@prostaff.gg

We recognize security researchers who responsibly disclose vulnerabilities:

No vulnerabilities have been publicly disclosed yet.

ProStaff provides a safe harbor for security researchers who:

• Make a good faith effort to avoid privacy violations, data destruction, and service disruption
• Only interact with accounts you own or with explicit permission
• Do not exploit a vulnerability beyond the minimum necessary to demonstrate it
• Report vulnerabilities promptly
• Give us reasonable time to fix the issue before any public disclosure

We will not pursue legal action against researchers who follow this policy.

The following are explicitly out of scope:

• ❌ Social engineering attacks
• ❌ Physical attacks
• ❌ Denial of Service (DoS/DDoS)
• ❌ Spam or social engineering of ProStaff employees
• ❌ Attacks on third-party services (Riot API, PandaScore, etc.)
• ❌ Vulnerabilities in outdated browsers or plugins
• ❌ Clickjacking on pages without sensitive actions
• ❌ Missing security headers without proof of exploitability
• ❌ SSL/TLS configuration issues (handled by Traefik)

• Security Team: security@prostaff.gg
• General Support: support@prostaff.gg
• GitHub Issues: For non-security bugs only

• OWASP Top 10
• CWE Top 25
• Security Test Results
• CI/CD Security Workflow

Last Updated: 2026-03-04 Policy Version: 1.0