The security of the School Cashier System is a top priority. If you discover a security vulnerability, please follow these guidelines:
- Email directly to: markme44.mm@gmail.com (replace with your actual email)
- Do NOT open a public GitHub issue for security vulnerabilities
- Provide details:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Give us time to respond and fix before public disclosure
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Target: Within 30 days (depending on severity)
- Acknowledgment of your report
- Regular updates on our progress
- Credit in the security advisory (if you wish)
- Potential bug bounty (for critical vulnerabilities, if program is active)
Security updates are provided for the following versions:
| Version | Supported |
|---|---|
| Latest | β Yes |
| < Latest | β No (please upgrade) |
When deploying this application:
-
Environment Configuration
- Set
APP_DEBUG=falsein production - Use strong, unique
APP_KEY - Never commit
.envfiles to version control - Use environment-specific credentials
- Set
-
Database Security
- Use strong database passwords
- Restrict database access to localhost (if on same server)
- Enable SSL for remote database connections
- Regular backups with encryption
-
Web Server
- Use HTTPS with valid SSL certificates
- Configure security headers (CSP, HSTS, X-Frame-Options)
- Enable firewall (allow only necessary ports)
- Keep server software updated
-
Application
- Change default demo passwords immediately
- Implement rate limiting on login routes
- Enable CSRF protection (default in Laravel)
- Regular dependency updates
- Monitor logs for suspicious activity
-
User Management
- Enforce strong password policies
- Implement two-factor authentication (recommended)
- Regular audit of user permissions
- Deactivate unused accounts
This application includes demo seeders with default passwords:
- Default password:
password β οΈ CRITICAL: Change all demo account passwords in production- Run
php artisan demo:refresh --forceonly in development/staging
If implementing file upload features:
- Validate file types and sizes
- Store uploads outside public directory
- Scan for malware
- Use signed URLs for downloads
If exposing API endpoints:
- Use Laravel Sanctum for authentication
- Implement rate limiting
- Validate all inputs
- Use proper HTTP status codes
Before deploying to production:
-
APP_DEBUG=false - Strong
APP_KEYgenerated -
.envfile not in version control - Database credentials are strong and unique
- HTTPS enabled with valid certificate
- Security headers configured
- Default passwords changed
- File permissions set correctly (755/644)
- Firewall configured
- Error logging enabled
- Dependency vulnerabilities checked
- Rate limiting enabled
- Backups configured
This project uses:
- Dependabot (GitHub) - Automatic dependency updates
- npm audit - Node.js dependency vulnerabilities
- composer audit - PHP dependency vulnerabilities
Run security audits regularly:
# Check npm dependencies
npm audit
# Fix automatically (if possible)
npm audit fix
# Check Composer dependencies
composer audit
# Update dependencies
composer update
npm updateNone yet - This is the initial release.
When security updates are made, they will be documented here with:
- Date of update
- Description of vulnerability
- Affected versions
- Fix applied
We thank security researchers who help keep this project secure:
- Your name could be here!
We follow responsible disclosure principles:
- Security researchers report vulnerabilities privately
- We acknowledge and work on fixes
- We release patches for supported versions
- After patch release, we publish security advisory
- We credit researchers (with permission)
Security Contact: markme44.mm@gmail.com
For non-security issues, please use GitHub Issues.
Last Updated: October 18, 2025
This security policy may be updated as the project evolves.