CodalSearch this book — or all of Codal…⌘K
Projects
Sign inStart a book

Security

Last updated: [Month Day, Year]

Security is important to Codal because users and organizations trust us with manuscripts, drafts, metadata, source files, contributors, and release records.

This page explains how to report security issues and how we approach security.

1. Reporting a vulnerability

If you believe you found a security vulnerability in Codal, please contact:

[[email protected]]

Please include:

  • a description of the issue
  • steps to reproduce
  • affected URLs or endpoints
  • screenshots or proof of concept if safe to share
  • your contact information
  • whether you believe data was accessed or modified

Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and fix it.

2. What not to do

When testing or reporting security issues, do not:

  • access, download, modify, or delete data that is not yours
  • disrupt the service
  • run denial-of-service tests
  • use automated high-volume scanning
  • attempt social engineering
  • access another user's account
  • publish private information
  • upload malware
  • exploit an issue beyond what is necessary to demonstrate it safely

3. Our security practices

Codal uses security practices intended to protect accounts, projects, releases, packages, and files.

These may include:

  • authentication and session controls
  • project and organization permissions
  • private/public access controls
  • signed URLs or controlled downloads
  • audit logs for important actions
  • artifact signing and verification tools
  • secure storage configuration
  • restricted administrative access
  • monitoring and error logging
  • backups and operational safeguards
  • dependency updates and security reviews

No system is completely secure. We continuously work to improve Codal's security.

4. Account security

Users are responsible for keeping account credentials safe.

We recommend:

  • using a strong password
  • not sharing accounts
  • limiting organization/project permissions
  • removing users who no longer need access
  • reviewing public/private project settings before release
  • exporting backups of important projects

If you believe your account was compromised, contact:

[[email protected]]

5. Responsible disclosure

We appreciate good-faith security research.

If you report a valid issue responsibly, we will try to:

  • acknowledge receipt
  • investigate promptly
  • keep you updated when possible
  • fix confirmed issues
  • credit you if you want and if appropriate

Codal does not currently operate a paid bug bounty program unless separately announced.

6. Sensitive data

Do not submit sensitive personal data, secrets, passwords, private keys, or confidential materials in a vulnerability report unless necessary. If necessary, tell us first so we can arrange a safer method.

7. Security contact

Security reports:

[[email protected]]

General support:

[[email protected]]