Security Acknowledgements

On November 5, 2025, the Google Cloud Security Team disclosed critical vulnerabilities affecting runc (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881). These flaws presented a risk of container breakouts and potential root privilege escalation within Cloud Run worker pools.

Impact and Resolution

If exploited, these vulnerabilities could allow a malicious actor to gain unauthorized access to the underlying execution environment. In response, Google Cloud proactively notified customers and implemented a mandatory security update moving Cloud Run jobs to Linux user namespaces. This change effectively mitigates the risk by removing true root access for containers, ensuring a more secure sandboxed environment.

On October 14, 2022, Aditya Dubey reported a Directory Indexing Vulnerability stemming from our web server configuration. He found this was enabled on the `/assets/images/` folder, allowing any visitor to view a complete list of files, thereby exposing our directory structure.

Security Hardening and Resolution

While not a critical flaw, this type of information leak can help an attacker map our application and identify other potential weaknesses. It signifies a lapse in security hardening best practices.

Upon receiving Aditya's report, our team immediately updated the server configuration to disable the directory indexing feature across all asset folders. These paths now correctly return a "403 Forbidden" error, preventing unintended data exposure. We thank Aditya for his thoroughness and for helping us enforce a more robust security posture.

In June 2026, Vansh Rathore responsibly disclosed an Insufficient Rate Limiting vulnerability specifically within our signup authentication flow. His precise report highlighted an opportunity to harden the /api/auth/complete-signup OTP verification endpoint against automated guessing attacks.

Impact and Resolution

The reported configuration presented a theoretical risk where automated tooling could attempt to guess the 6-digit email verification OTP within its very short validity window. By bypassing this verification, an actor could have potentially registered unverified accounts.

Our team swiftly validated the report and implemented a robust, two-layered security architecture directly on the discovered endpoint. We deployed strict IP-based rate limiting to prevent volumetric spam, alongside stateful account lockouts that completely invalidate the OTP after five failed attempts. We extend our sincere gratitude to Vansh for his professionalism, detailed documentation, and strict adherence to our "Minimize Impact" guidelines.