Security
Security policy and guidance for a privacy-first resume builder
The project is designed to be simple to trust: local-first storage, optional cloud features, and public pages that explain the boundaries of the system.
Least privilege
Only the minimum amount of access should be used to support each feature.
Resume builder security, data privacy, and responsible disclosure policy.
Clear boundaries
Public, authenticated, and shareable routes should stay separated and intentional.
Resume builder security, data privacy, and responsible disclosure policy.
Report first, disclose second
Potential vulnerabilities should be reported privately before public disclosure.
Resume builder security, data privacy, and responsible disclosure policy.
What to expect
- The main product should remain usable without login.
- Optional cloud and sharing flows should stay explicit.
- Public routes should be crawlable, but admin and editor paths should not.
- If a security flaw is found, it should be reported privately first.
Responsible disclosure
Use direct channels for private reporting.
If you discover a vulnerability, share the minimum details needed to reproduce it and wait for a response before publishing it more broadly.
Disclosure channels
- Email private reports to [email protected].
- Follow the disclosure process in SECURITY.md.
- Use GitHub discussions for non-sensitive security questions.