Skip to content
Patens
ES
Back to the foundry

Security.

Patens is open source under the MIT License. If you find a security issue — a way for an attacker to access someone else's projects, hijack a share, leak a credential, or otherwise compromise the integrity of the app — please report it.

How to report

Email security@patens.design with the details. Include:

  • · A short summary of the issue + its impact.
  • · Steps to reproduce, or a proof-of-concept.
  • · The component / route / file you believe is affected.
  • · Whether you'd like public credit on disclosure (CVE, GitHub release notes, X mention — your choice).

What I commit to

  • Acknowledge within 48 hours. You'll get a reply confirming I received the report, even if I'm at a conference or in a deep-work block.
  • Investigate within 7 days. Sometimes faster, sometimes I'll ask follow-up questions. I'll share a triage with severity + scope so you know where it sits.
  • Fix + disclose collaboratively. For high-severity issues I'll cut a patch release first, then publish a disclosure with credit (if requested). For low-severity, I'll fix in the regular release stream + document in the changelog.
  • No legal pursuit. Good-faith research that respects responsible-disclosure (you don't dump customer data, you don't sit on the issue forever, you tell me before going public) won't get you sued.

In scope

  • · The Patens web application at patens.design.
  • · The /api/share + /api/share/[id] endpoints (cloud-share auth + token handling).
  • · The /api/ai/messages proxy (key handling, header passthrough).
  • · The /auth/* OAuth flow (where enabled by self-hosters).
  • · Service worker eviction logic (cache poisoning, stale-version attacks).
  • · The source code at github.com/alevizio/patens.

Out of scope

  • · Third-party services Patens depends on (Vercel, Anthropic, Vercel Blob storage). Report those upstream.
  • · Self-hosted Patens deployments operated by someone else — talk to them directly.
  • · "I can use my own browser DevTools to edit my own projects." That's the design, not a vulnerability.
  • · DoS attacks. Vercel handles network-layer abuse; please don't actively flood the deployment.

What Patens does to keep your data safe

  • Constant-time token comparison for share-delete tokens (timingSafeEqual), to defend against timing attacks on the token value.
  • Same-origin redirect validation on the auth flow (safeReturnTo), to prevent open-redirect from a tampered return query param.
  • HMAC-SHA256 signed session cookies (when OAuth is enabled), HttpOnly + SameSite=Lax + Secure in production.
  • No eval() or new Function() on user input. Glyph names, kerning class names, brief text — all rendered with Svelte's escaping; never executed.
  • UUID-only share URLs. Share IDs are crypto.randomUUID() — unguessable without the link. The capability model: anyone with the URL can read; only the originator (who holds the delete-token in their browser) can re-share or delete.
  • Anthropic API keys never logged. The /api/ai/messages proxy forwards the user's own key to Anthropic verbatim and discards it from the request lifecycle. Patens's server never sees or stores the key.

Last updated: 2026-05-25. The latest version of this policy is always at patens.design/security.