papra/SECURITY.md

Security Policy

Security is critically important to Papra. We actively welcome responsible disclosure of any vulnerabilities found in our platform.

Reporting a Vulnerability

If you discover a security issue within Papra, please email us directly at security@papra.app with the following details:

• Clear description of the vulnerability.
• Steps or proof-of-concept to reproduce the vulnerability.
• Potential impact or implications of the vulnerability.

We ask you not to publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

Response and Communication

We will:

• Acknowledge receipt of your report within 48 hours.
• Investigate and provide initial feedback within 5 business days.
• Work diligently to fix validated vulnerabilities.
• Keep you updated throughout the process until the issue is resolved.

Security Practices at Papra

Papra follows industry-standard security practices:

• Secure hosting infrastructure provided by trusted services (Render, Cloudflare, Turso).
• Regular security and dependency updates.
• Strict access controls to production environments.
• Encryption of data in transit and at rest.

Acknowledgments

We greatly appreciate and acknowledge all researchers who responsibly report vulnerabilities, helping us keep Papra secure.