Only the latest release of PredictIQ receives security fixes.
| Version | Supported |
|---|---|
| Latest | ✅ Yes |
| Older | ❌ No |
Please do not open a public GitHub issue for security vulnerabilities.
Use one of the following channels:
- GitHub Private Vulnerability Reporting (preferred) — click the Report a vulnerability button on the Security tab of this repository.
- Email — send details to
security@predictiq.iowith the subject line[SECURITY] <brief description>.
- A clear description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept (if available)
- Affected component(s) and version(s)
- Any suggested mitigations
| Milestone | Target |
|---|---|
| Acknowledgement | Within 2 business days |
| Initial assessment | Within 5 business days |
| Fix or mitigation | Within 30 days for critical/high; 90 days for medium/low |
| Public disclosure | After a fix is available and affected users have had time to update |
We follow coordinated disclosure. We will notify you before any public disclosure and credit you in the release notes unless you prefer to remain anonymous.
- Vulnerabilities are kept confidential until a fix is released.
- We will publish a security advisory on GitHub after the fix is deployed.
- We ask reporters to refrain from public disclosure until we have released a fix or the agreed embargo period has passed.
The following are in scope:
services/api— Rust API backendservices/tts— TTS microservicefrontend— Next.js frontendcontracts/predict-iq— Soroban smart contracts- CI/CD pipelines and infrastructure-as-code in this repository
The following are out of scope:
- Third-party services (SendGrid, Stellar network, Pyth Network)
- Denial-of-service attacks without a demonstrated security impact
- Issues already reported or known
- Never commit secrets, API keys, or credentials — use environment variables.
- Follow the principle of least privilege when adding new permissions.
- Validate and sanitise all external input.
- Keep dependencies up to date; dependency-scan CI runs on every PR.
Cross-Site Request Forgery (CSRF) exploits the browser's automatic inclusion of cookies in cross-origin requests. It is only relevant when an endpoint mutates state and authentication is carried by a cookie that the browser attaches automatically.
The PredictIQ API uses stateless authentication — API keys (X-Api-Key
header) and URL-embedded tokens — not cookies. This eliminates the primary CSRF
attack vector for all current endpoints.
| Endpoint | Auth method | CSRF risk | Mitigation |
|---|---|---|---|
POST /api/v1/newsletter/subscribe |
None (public) | Low | JSON Content-Type blocks HTML-form CSRF; Origin validation middleware |
GET /api/v1/newsletter/unsubscribe |
URL token (?token=) |
None | Tokens are per-user secrets; GET does not mutate via form attack |
GET /api/v1/newsletter/confirm |
URL token | None | Same as above |
GET /api/v1/newsletter/gdpr/export |
URL token | None | Same as above |
DELETE /api/v1/newsletter/gdpr/delete |
URL token | None | Same as above |
POST /api/v1/markets/*/resolve |
X-Api-Key header |
None | Custom headers cannot be forged by cross-site forms |
| All other admin routes | X-Api-Key header |
None | Custom headers cannot be forged by cross-site forms |
Even though no cookie auth exists, the following defenses are active:
-
JSON Content-Type requirement —
content_type_validation_middlewareenforcesContent-Type: application/jsonon all state-changing endpoints. HTML<form>elements can only submitapplication/x-www-form-urlencodedormultipart/form-data, so a forged form POST is rejected before reaching any handler. -
Origin / Referer validation —
csrf_protection_middleware(insrc/csrf.rs) is applied to the newsletter route group. For any state-changing request (POST / PUT / PATCH / DELETE) that carries anOriginheader, the middleware rejects the request with 403 Forbidden if the origin is not in theCORS_ALLOWED_ORIGINSlist. When aCookieheader is present butOriginis absent, theRefererheader is checked as a fallback. Non-browser clients (noOrigin, noCookie) are passed through unchanged. -
API-key exclusion — requests carrying an
X-Api-Keyheader skip the Origin/Referer check entirely, as API-key auth is inherently CSRF-safe.
If cookie-based session authentication is introduced, a Synchronizer Token or Double-Submit Cookie pattern must be added for all state-changing endpoints accessible via browser sessions.