1. Our Security Practices

BashWeather is built on a security-first architecture. We apply industry-standard and best-practice controls at every layer of the application to protect your data and our infrastructure.

• HTTPS Everywhere: All communication between your browser and BashWeather servers is encrypted using HTTPS. We enforce HTTP Strict Transport Security (HSTS) to prevent protocol downgrade attacks.
• Encrypted Storage: User preferences, saved locations, and account metadata are stored in Cloudflare KV with encryption at rest. No sensitive data is stored in plaintext.
• Cloudflare Web Application Firewall (WAF): All traffic passes through Cloudflare's WAF, which filters known attack patterns including SQL injection, cross-site scripting (XSS), and credential stuffing attempts.
• No Plaintext Passwords: BashWeather uses Google OAuth 2.0 exclusively for authentication. We never create, store, or transmit user passwords in any form.
• Content Security Policy (CSP): We enforce a strict CSP to prevent injection attacks and unauthorized script execution.
• Rate Limiting: API endpoints and authentication flows are rate-limited to mitigate brute-force and denial-of-service attacks.

2. Data Encryption

BashWeather encrypts data both in transit and at rest:

3. Authentication

BashWeather uses Google OAuth 2.0 as its sole authentication mechanism. This means:

• We never create, store, or manage passwords on our servers.
• Your identity is verified entirely by Google's authentication infrastructure.
• We receive only the information you authorize via Google's consent screen: your name, email address, and profile picture.
• OAuth tokens issued by Google are short-lived and are refreshed securely on each session.
• Session cookies are HttpOnly, Secure, and SameSite=Strict to prevent cross-site request forgery and session hijacking.

4. Responsible Disclosure

We take all security vulnerability reports seriously. If you have discovered a potential security issue affecting BashWeather, we encourage you to report it to us responsibly before disclosing it publicly.

How to Report

• Email us at security@bashweather.app with a clear description of the vulnerability.
• Include: steps to reproduce, the potential impact, and any supporting evidence (screenshots, proof-of-concept code).
• Please encrypt sensitive reports using our PGP key if available, or clearly label the email subject as "Security Vulnerability Report."

Our Commitment

• Acknowledgement: We will acknowledge receipt of your report within 72 hours.
• Assessment: We will assess the issue and provide a status update within 7 business days.
• Resolution: We aim to resolve confirmed vulnerabilities within 30 days, depending on severity and complexity.
• Coordination: We will coordinate with you before any public disclosure.

We ask that you do not exploit the vulnerability beyond what is necessary to confirm its existence, do not access or modify data belonging to other users, and do not perform denial-of-service attacks or disrupt production services.

5. Bug Bounty Program

BashWeather does not currently operate a formal paid bug bounty program. However, we deeply value the work of security researchers and will:

• Publicly acknowledge researchers (with their permission) who report valid, significant vulnerabilities.
• Provide a written letter of appreciation for qualifying disclosures.
• Consider remedial cooperation on a case-by-case basis for researchers acting in good faith.

We reserve the right to establish a formal bug bounty program in the future. Researchers who have already reported vulnerabilities in good faith will be considered for retroactive recognition if such a program is launched.

6. Third-Party Security

BashWeather relies on the following trusted third-party infrastructure providers, each of which maintains their own rigorous security programs:

• Google (Authentication & APIs): Google's security infrastructure for OAuth 2.0 authentication is governed by Google's own security policies, ISO 27001 certification, and SOC 2 compliance. We have no control over Google's internal security practices.
• Cloudflare (Hosting, CDN, WAF, KV Storage): Cloudflare is a publicly traded security company with extensive certifications (ISO 27001, SOC 2 Type II, PCI DSS). Cloudflare Workers and KV Storage form the backbone of our backend infrastructure.
• Weather Data Providers: We use reputable weather API providers. Data obtained from these providers is weather information only and does not include personal user data.

We perform due diligence when selecting third-party providers and include data processing terms in our agreements where personal data is involved. See our Data Processing Agreement for details.

7. Data Breach Response

In the event of a confirmed personal data breach, BashWeather will follow these response procedures:

1. Containment: Immediately isolate and contain the breach to prevent further unauthorized access.
2. Assessment: Determine the scope, nature, and likely impact of the breach, including which categories of data and how many individuals are affected.
3. Notification to Supervisory Authority: Where the breach is likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory data protection authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
4. Notification to Affected Users: Where the breach is likely to result in a high risk to individuals, we will notify affected users directly without undue delay, in accordance with GDPR Article 34, via email to their registered address.
5. Remediation: Take steps to address the vulnerabilities that led to the breach and prevent recurrence.
6. Documentation: Maintain a record of all breaches, their effects, and the remedial action taken, regardless of whether notification was required.

8. Security Limitations

By using BashWeather, you acknowledge and accept that:

• No data transmission over the internet is guaranteed to be 100% secure.
• You are responsible for maintaining the security of your Google account credentials.
• You should use a strong, unique password for your Google account and enable two-factor authentication.
• You should log out of BashWeather on shared or public devices.
• BashWeather is not responsible for security incidents resulting from your failure to protect your own account credentials.

9. Contact Our Security Team

For all security-related inquiries, vulnerability reports, and incident notifications, please contact:

For general privacy questions, contact privacy@bashweather.app.