Security

Security Architecture

TheTerms is designed with security as a core concern:

Layer	Implementation
Authentication	NextAuth v5 with JWT sessions
Authorization	tRPC middleware chain (enforceAuth → requireRole) with four-tier role hierarchy
Secrets	Environment variables only — never stored in source code
Database	Prisma ORM with parameterized queries — no raw SQL, no SQL injection
Signing tokens	Cryptographically random UUIDs via crypto.randomUUID()
Password hashing	bcrypt with default cost factor
Password reset	JWT-based tokens with 30-minute expiry and single-use revocation

Supported Versions

Only the latest release on the main branch receives security patches. We recommend always running the most recent version.

Reporting a Vulnerability

Danger

Do not open a public GitHub issue for security vulnerabilities. Use the private email channel below.

Email security@theterms.app with the subject line:

[SECURITY] Brief description of the vulnerability

Include:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact (e.g., data exposure, privilege escalation)
• Suggested fix (if you have one)

Response Timeline

Stage	Timeline
Acknowledgment	Within 72 hours
Assessment	Within 7 days
Resolution (critical)	Within 14 days
Resolution (moderate)	Within 30 days

We ask that you allow reasonable time to address the vulnerability before public disclosure. We will credit reporters (with permission) in our release notes.

Scope

In Scope

• Authentication bypass or privilege escalation
• Injection attacks (SQL, XSS, CSRF)
• Secrets or credentials exposure
• Data exfiltration or unauthorized data access
• Cryptographic weaknesses in signing tokens
• Server-side request forgery (SSRF)

Out of Scope

• Denial of service via resource exhaustion
• Issues requiring physical access to the server
• Social engineering attacks
• Vulnerabilities in third-party dependencies (report those to the upstream project)
• Issues in development-only configurations