Do not open a public GitHub issue for security vulnerabilities.

Email: security@closedloop.ai

• Response time: 48 hours acknowledgment, 7 days triage
• Include: description, reproduction steps, affected versions, potential impact
• We will confirm receipt, investigate, and coordinate a fix before any public disclosure

• Clerk handles all authentication (SSO, social login, email/password, MFA)
• JWT validation on every API route via withAuth() wrapper
• Organization isolation — all database queries scoped by organizationId from JWT
• Role-based access — Clerk organization roles (org:admin, org:owner, org:member) gate admin features

• Nosecone — security headers via @nosecone/next
• Webhook verification — GitHub (HMAC SHA-256), Clerk (Svix), all with timing-safe comparison
• Environment variable validation — Zod schemas via @t3-oss/env-nextjs at startup
• server-only imports — critical packages prevent accidental client-side inclusion

• Multi-tenant isolation with organization-scoped queries throughout
• OAuth tokens (Linear, Slack) stored in database with refresh token rotation
• GitHub App credentials stored as environment variables, not in database
• S3 artifact storage with presigned URLs for access control

In-scope for security reports:

• Authentication or authorization bypass
• Cross-tenant data leakage
• Webhook signature verification bypass
• API route access without proper authentication
• Command injection via Engineer feature routes
• OAuth token exposure or mishandling

Out-of-scope:

• Theoretical vulnerabilities without proof of concept
• UI-only display preferences not enforced server-side (non-security cosmetic gating)