Security Policy

VeriWorkly is committed to maintaining a secure platform for resume building and data synchronization. As an open-source project, transparency and community-driven security are at the core of our operations.

Data Protection

Local-First Default

VeriWorkly operates as a local-first application. By default, your data is stored in your browser's persistent storage (IndexedDB) and is never transmitted to our servers unless you explicitly opt-in to Cloud Sync or Managed Sharing.

Authentication Security

We utilize Better-Auth for session management and identity verification.

• Passwordless Authentication: We eliminate the risks associated with password reuse by using secure Email OTP (One-Time Password) flows.
• Secure Cookies: All session cookies are configured with HttpOnly, Secure, and SameSite=Lax attributes to prevent XSS and CSRF attacks.

---

Infrastructure Security

Database Encryption

Our PostgreSQL instances (managed via Neon) utilize industry-standard AES-256 encryption for data at rest.

Environment Management

Secrets and API keys are managed using strictly scoped environment variables. In production environments, we recommend using secret management services (e.g., AWS Secrets Manager, Doppler) rather than flat files.

---

Vulnerability Reporting

If you believe you have discovered a security vulnerability in VeriWorkly, please report it responsibly.

How to Report

• Email: [email protected]
• GitHub: For non-sensitive issues, you may open an issue on the official repository.

We ask that you do not disclose the vulnerability publicly until we have had a reasonable amount of time to address the issue.

Response Timeline

• Acknowledgement: Within 48 hours of receipt.
• Resolution: We aim to provide a patch or mitigation within 14 days for critical vulnerabilities.

---

Security Audits

While we conduct internal security reviews, we welcome third-party audits and community contributions to our security posture. All code is available for review in our public repository.