MeridianIQ handles scheduling data that may include sensitive project information (construction budgets, baselines, claim evidence). We take security reports seriously.
Please do not open a public GitHub issue for security vulnerabilities.
Report suspected vulnerabilities privately via one of:
- GitHub's private vulnerability reporting (preferred — enables coordinated disclosure)
- Email:
vitor@vitormr.devwith subject[MeridianIQ security] <short description>
Include:
- Affected component (backend engine, API endpoint, web page, MCP tool, parser)
- Reproduction steps, proof-of-concept, or minimal failing input
- Impact assessment (information disclosure, privilege escalation, denial of service, etc.)
- Your disclosure timeline preference
We aim to acknowledge within 3 business days and provide an initial assessment within 7 business days.
MeridianIQ follows a rolling release from main. Security fixes land on main and are tagged in the next minor release.
| Version | Supported |
|---|---|
v4.0.x |
✅ current stable |
v3.x and earlier |
In scope:
- The FastAPI backend (
src/api/) — authentication, authorization (RLS), rate limiting, input validation, error disclosure - The XER parser (
src/parser/) — malicious file handling, encoding attacks, resource exhaustion - Database abstractions (
src/database/) — data access, RLS policy enforcement - Supabase migrations (
supabase/migrations/) — RLS coverage on user-owned tables - The MCP server (
src/mcp_server.py) — local-only by design; report if tools leak across projects - The SvelteKit frontend (
web/) — XSS, token handling, auth state leaks
Out of scope:
- Vulnerabilities in third-party dependencies (report upstream; we'll pick up fixes on their release)
- Social engineering or physical access to user machines
- Denial of service via trivially rate-limitable inputs
- Issues requiring an already-compromised user account with legitimate access
MeridianIQ deployments typically contain:
- Uploaded XER files (project schedules, sometimes contract-sensitive)
- CBS cost data (budget, contingency, commitments)
- Forensic analysis artifacts (delay windows, narratives)
If your report requires sample data, please use synthetic fixtures only. Do not share real project data over unencrypted channels.
Reporters who follow this policy and request attribution will be credited in the CHANGELOG entry that ships the fix.