If you discover a security vulnerability in Lockstep, please report it responsibly. Do not open a public GitHub issue.
Email namanjain1903@gmail.com with:
- A description of the vulnerability
- Steps to reproduce it
- The potential impact
- Any suggested fix (optional)
- Acknowledgment within 48 hours
- Status update within 7 days with an assessment and estimated fix timeline
- Credit in the release notes (unless you prefer to remain anonymous)
The following are in scope:
- Authentication and authorization bypasses
- RLS (row-level security) isolation escapes
- Token leakage or session hijacking
- SQL injection or other injection attacks
- Sensitive data exposure (secrets, tokens, source code leaking through the API)
- Denial of service via API abuse
- Issues in dependencies (report upstream, but let us know so we can track)
- Social engineering attacks
- Attacks requiring physical access to a developer's machine
Lockstep is designed with security as a core principle:
- Row-Level Security (RLS): Every database query is scoped to the authenticated tenant
- Append-only ledger: Decisions cannot be modified or deleted — only proposed and acknowledged
- Encrypted tokens: Session tokens are hashed before storage
- No source code stored: Only decisions, contracts, and metadata flow through the system
- Dev-login bypass: Strictly gated — disabled when
NODE_ENV=production - Zod validation: All API inputs are validated at the boundary
| Version | Supported |
|---|---|
| 0.x | Yes (current) |