Do not open public GitHub issues for security vulnerabilities.

If you discover a security vulnerability in Kanbu, please report it responsibly by emailing: security@kanbu.dev or R.Waslander@gmail.com

Please include:

• Description of the vulnerability
• Steps to reproduce (if possible)
• Potential impact
• Any suggested fixes (optional)

We will acknowledge your report within 48 hours and provide updates on our progress toward a fix.

Kanbu includes several security-focused features:

• NTFS-style permissions with Read, Write, Execute, Delete, and Permissions controls
• Deny-first logic where explicit deny entries override any grants
• Permission inheritance from workspace to project to task levels
• Security groups for managing permissions at scale
• Audit logging of all permission changes

• HTTPS-only communication (enforced on deployment)
• JWT token-based authentication with configurable secrets
• Permission-based access ensures Claude Code and API keys only access what the user allows
• Database encryption recommended for production deployments
• Audit trail of all user actions with export capabilities

1. Change Default Passwords: Always change the PostgreSQL password and JWT_SECRET in .env
2. Use HTTPS: Configure HTTPS/TLS for all production deployments
3. Secure Database: Use strong PostgreSQL credentials and restrict network access
4. Regular Backups: Implement automated database backups
5. Monitor Logs: Regularly review audit logs for suspicious activity
6. Keep Updated: Update dependencies regularly using pnpm update
7. Environment Variables: Never commit .env files to version control
8. API Key Management: Rotate API keys regularly and revoke unused ones

• Single Sign-On (SSO) support via OAuth2 (configurable)
• Two-Factor Authentication support (2FA)
• Session Management with automatic timeout
• API Key Scoping (User, Workspace, or Project level)

• Claude Code Integration: Uses MCP protocol with permission inheritance
• GitHub Integration: OAuth2-based with minimal required permissions
• Custom API Keys: Generated with limited scopes

• Self-hosted deployments: Security is dependent on proper configuration and maintenance
• Claude Code access: Currently requires explicit permission through pairing
• Network exposure: Always use VPN/firewall to restrict network access in production

No known security vulnerabilities at this time.

For historical security issues and their resolutions, see: GitHub Security Advisories

Kanbu can be deployed to meet various compliance requirements:

• GDPR: By using proper access controls and audit logging
• HIPAA: With encrypted storage and audit trails (requires additional configuration)
• SOC 2: With proper monitoring, backups, and access controls

For security-related questions or concerns, please contact:

• Email: R.Waslander@gmail.com
• Security Issues: Use responsible disclosure via the email above

This security policy is part of the Kanbu project licensed under AGPL-3.0.