Security at OSBridge
We take the security of your data seriously. This page outlines the specific technical measures and practices we use to protect the OSBridge platform.
Last updated:
Reading time:4 min read
1. Authentication & Authorization
- OAuth Integration: Authentication is handled exclusively through GitHub OAuth using NextAuth.js v5. We do not store or manage user passwords.
- Session Management: User sessions are verified server-side to ensure secure access to protected routes and data.
2. Infrastructure & Database Security
- Supabase PostgreSQL: Our primary database is hosted on Supabase. Direct database access is restricted, and queries are executed via Drizzle ORM to prevent SQL injection vulnerabilities.
- Row Level Security (RLS): Where applicable, Supabase Row Level Security policies ensure users can only access their own data.
- Environment Variables: Sensitive credentials and API keys are managed using strictly validated environment variables, checked at application startup via Zod.
3. Data Protection Measures
- In Transit: All data transmitted between your browser and OSBridge servers, as well as between our servers and third-party APIs (GitHub, Supabase, Upstash), is encrypted using TLS/SSL.
- Vector Embeddings: Embeddings generated for skill profiles and GitHub issues are stored securely using the `pgvector` extension.
- Caching Strategy: Data fetched from external sources (e.g., LeetCode profiles) is temporarily cached in Upstash Redis with a strict 24-hour Time-To-Live (TTL) to ensure data freshness and minimize stored footprints.
4. Secure Development Practices
- Type Safety: Strict TypeScript compliance is enforced across the codebase to catch potential errors at compile time.
- Dependency Management: We regularly update and monitor our npm dependencies for known vulnerabilities.
5. Planned Security Improvements
As a growing open-source platform, we are continuously working to enhance our security posture. The following initiatives are planned for future implementation:
- Independent security audits and penetration testing.
- Formal compliance certifications (e.g., SOC 2, ISO 27001).
- A formalized public bug bounty program.
6. Reporting Vulnerabilities
If you believe you have found a security vulnerability in OSBridge, please do not disclose it publicly.
Contact us immediately at security@osbridge.dev. We aim to respond to all security reports within 48 hours and will work with you to understand and mitigate the issue.