Supported Versions
Only the latest deployed version of Kanak receives security updates.
Reporting a Vulnerability
If you discover a security vulnerability, please report it privately by emailing the team directly (do not file public GitHub issues).
What to include:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
Response timeline:
24 hours:Acknowledgment of receipt
7 days:Initial assessment and remediation plan
30 days:Fix deployed or rationale for extended timeline
Bug Bounty
We do not currently offer a bug bounty program.
Backup & Recovery
Automated Backups (Supabase)
- Supabase Pro plan includes daily automated backups with 7-day retention
- Point-in-Time Recovery (PITR) available on Pro plan (30-day window)
- Verify backups: Supabase Dashboard → Database → Backups
Restore Procedure
- Go to Supabase Dashboard → Database → Backups
- Select backup → "Restore"
- Choose target: new project (recommended) or same project
- Wait for restoration (5-30 min depending on size)
- Verify: run
SELECT count(*) FROM kanak.profiles; on restored DB
- Update
SUPABASE_URL in Cloudflare secrets if restoring to new project
Manual Export (Free tier)
supabase db dump --linked --schema kanak > kanak_schema_$(date +%Y%m%d).sql
supabase db dump --linked --data-only --schema kanak > kanak_data_$(date +%Y%m%d).sql
RTO / RPO Targets
| Metric | Target |
|---|
| RTO (Recovery Time) | < 1 hour (Supabase PITR) | < 4 hours (manual restore) |
| RPO (Recovery Point) | < 24 hours (daily backup) | < 1 hour (PITR) |
Incident Response
1. Credential Leak
If API keys, service role key, or secrets are exposed:
- Rotate compromised key immediately in Supabase Dashboard / Cloudflare Dashboard
- Update
wrangler.jsonc and Cloudflare secrets with new key
- Revoke old key
- Check audit logs for unauthorized access:
SELECT * FROM kanak.audit_logs
WHERE created_at > NOW() - INTERVAL '24 hours'
ORDER BY created_at DESC;
- Notify beta merchants if user data may have been exposed
2. Database Corruption / Data Loss
- Stop writes: Temporarily disable RPC functions or restrict access
- Restore from backup (see Backup section above)
- Verify integrity:
SELECT schemaname, tablename, n_live_tup
FROM pg_stat_user_tables
WHERE schemaname = 'kanak'
ORDER BY tablename;
- Notify users of service disruption
3. DDoS / Brute Force Attack
- Rate limiting is active (via KV namespace): login (10/60s), mutations (30/min)
- Cloudflare protections:
- Enable "Under Attack" mode in Cloudflare Dashboard
- Verify WAF rules are active
- Consider geo-blocking non-India regions if applicable
- Review logs: Check Cloudflare analytics for attack patterns
4. Payment / Billing Failure
Not applicable — no payment processing is currently integrated.
Security Checklist
✓ HTTPS enforced — Cloudflare provides by default + HSTS header
✓ Security headers — CSP, X-Frame-Options, X-Content-Type-Options in _headers
✓ RLS policies — All tables have RLS enabled (user isolation)
✓ Rate limiting — Login (10/60s), mutations (30/min), clear_data (1/24h)
✓ Input validation — Server-side for proxied routes, CHECK constraints on DB
◯ Rotate Supabase anon key — Do this before production launch
✓ No hardcoded secrets in client source — Anon key served via /api/config
✓ Structured logging — JSON format with request IDs in edge function
✓ Error sanitization — Schema/table names stripped from error responses
◯ Backup test — Verify backup restoration works (run quarterly)
◯ Dependency audit — Run npm run audit before each deploy
Key Contacts & Escalation
| Role | Responsible |
|---|
| Security Lead | DevOps Lead |
| Database Admin | Backend Dev |
| Incident Response | On-call rotation |
For security issues, email the team directly — do not file public GitHub issues.