Security

Our security practices and responsible disclosure process.

Chapterfeed Learning Space Private Limited takes the security of InAppCode and its supporting infrastructure seriously. This page describes our key security practices and how to report a vulnerability responsibly.

Report a Vulnerability View security.txt

Last updated May 2025.

Security Practices

How we protect the product and its users.

API Key Authentication

All AI endpoints require a backend API key. The system raises an error on startup if the key is absent in non-development environments.

CORS Restriction

Cross-origin requests are restricted to explicitly listed origins. Wildcard origins are never permitted in staging or production environments.

Rate Limiting

AI endpoints enforce per-IP sliding-window rate limiting via Redis to prevent abuse. The limit is configurable per deployment environment.

No Identity Data at Core

The app does not require a student account, which minimises personal identity data stored or processed by the core practice flow.

AI Provider Sandboxing

Code submitted for AI review is treated as untrusted input. Users should not submit secrets or regulated data in code samples.

Infrastructure Security

The backend runs on Kubernetes with Gunicorn and Uvicorn workers. Redis caching reduces unnecessary AI provider calls and improves resilience.

Responsible Disclosure

How to report a security issue.

We encourage security researchers, educators, and users to report suspected vulnerabilities through our disclosure process rather than public disclosure. Coordinated disclosure gives us the opportunity to remediate the issue before it is widely known.

To report a vulnerability:

  • Email connect@inappcode.com with the subject line Security Report.
  • Include clear reproduction steps and the affected component (website, app, or API endpoint).
  • Describe the potential impact and the conditions required to trigger the issue.
  • If you have a suggested remediation, include it — we appreciate it.
  • Do not include live credentials, private keys, or access tokens in your email.

What to Expect

Our response process.

  • Acknowledgement: We will acknowledge your report within 48 hours of receipt.
  • Assessment: We will review and triage the issue, typically within 5 business days.
  • Remediation: We will work on a fix and communicate progress. Timeline depends on severity and complexity.
  • Coordination: We will notify you before publishing any disclosure or fix so you can verify the remediation.
  • Credit: We are happy to acknowledge researchers who report valid issues responsibly.

Scope

What is in and out of scope.

In scope:

  • The InAppCode Android app (com.inappcode.app)
  • The public InAppCode website (inappcode.com)
  • The backend API endpoints serving the app

Out of scope:

  • Third-party AI providers (Groq, Google Gemini) — report issues to them directly
  • Google Play infrastructure
  • Social engineering or phishing attacks against our team
  • Denial-of-service attacks — do not send automated attack traffic