Git City is actively developed. Security fixes are applied to the latest version on main.
| Version | Supported |
|---|---|
latest (main) |
✅ |
| older commits | ❌ |
We take security seriously. If you discover a vulnerability in Git City, please do not open a public GitHub issue.
Please report vulnerabilities by emailing the maintainer directly or using GitHub's private security advisory feature:
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Fill in the details of the issue
Alternatively, you can reach out to the maintainer via X/Twitter.
Please include as much of the following information as possible to help us understand and resolve the issue quickly:
- A description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Any proof-of-concept or exploit code (if applicable)
- Affected component(s) (e.g., auth flow, API route, Supabase RLS policy)
Git City handles the following sensitive data — please pay special attention when auditing:
- GitHub OAuth tokens — used for authentication via Supabase
- Supabase Row Level Security (RLS) — controls data access per user
- Stripe payment webhooks — handles payment events
- API routes — under
src/app/api/— ensure proper authentication checks - CRON endpoints — protected by
CRON_SECRET; unauthorized access could trigger unintended server actions
- Acknowledgement: Within 72 hours of receiving a report
- Status update: Within 7 days
- Fix or mitigation: Depends on severity; critical issues will be prioritized
We follow a coordinated disclosure model. Once a fix is available, we will:
- Publish a GitHub Security Advisory
- Credit the reporter (unless they wish to remain anonymous)
- Release a patched version
Thank you for helping keep Git City and its users safe!