The FMD Server JS team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.

If you believe you've found a security vulnerability in FMD Server JS, please send an email to security@example.com rather than opening a public issue on GitHub.

Please include the following information in your report:

• A description of the vulnerability and its potential impact
• Steps to reproduce the vulnerability
• Any proof-of-concept code, if applicable
• Versions affected
• Suggestions for remediation, if any

After you've submitted a vulnerability report, you can expect:

1. Acknowledgment: We'll acknowledge receipt of your report within 48 hours.
2. Verification: We'll work to verify the vulnerability and determine its impact.
3. Remediation: We'll develop and test a fix for the vulnerability.
4. Disclosure: Once the vulnerability is fixed, we'll coordinate with you on the disclosure timeline.

FMD Server JS includes several security features by design:

All sensitive data (locations, pictures) is encrypted on the device before being sent to the server. The server stores this data in encrypted form, ensuring that only authorized users with the correct keys can decrypt it.

Encryption keys are carefully managed to ensure security:

• RSA key pairs for asymmetric encryption
• AES session keys for symmetric encryption
• Password-based key protection

• Secure password handling with Argon2id hashing
• Token-based authentication for API access
• Session-based authentication for the web dashboard

Comprehensive audit logging for security events:

• Authentication attempts (successful and failed)
• API access
• Key operations
• Administrative actions

When deploying FMD Server JS, we recommend the following security best practices:

1. Use HTTPS: Always deploy with HTTPS, using a valid SSL certificate.
2. Regular Updates: Keep the server and all dependencies up to date.
3. Secure Environment Variables: Store sensitive configuration (like secrets) in environment variables, not in code.
4. Limited Access: Restrict access to the server host to authorized personnel only.
5. Firewall Configuration: Configure a firewall to allow only necessary traffic.
6. Database Security: Ensure your database is properly secured.
7. Regular Backups: Implement regular, secure backups of your data.

We currently provide security updates for the following versions:

Only the latest patch version of each minor version is supported. We recommend always using the latest version of FMD Server JS.