If you discover a security vulnerability in OpenEstimate, please report it responsibly.

DO NOT open a public GitHub issue for security vulnerabilities.

1. GitHub Security Advisories (preferred): Go to Security Advisories and create a new advisory.

2. Email: security@openestimate.io

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

If you deploy OpenEstimate on your own infrastructure:

• Change JWT_SECRET from the default value
• Use HTTPS (TLS) in production — never expose HTTP publicly
• Set APP_ENV=production to disable debug endpoints (/api/docs, /api/redoc)
• Use PostgreSQL with a strong password (not SQLite) for production
• Restrict ALLOWED_ORIGINS to your actual domain
• Keep Docker images updated (docker compose pull)
• Back up your database regularly
• Review .env file permissions — should be readable only by the app user
• If using AI features, protect your API keys (OpenAI/Anthropic) — never commit them

• JWT authentication with configurable expiration
• Password hashing with bcrypt
• CORS middleware with configurable origins
• SQL injection prevention via SQLAlchemy ORM
• Input validation via Pydantic v2
• Rate limiting (configurable)
• Role-based access control (RBAC)