If you discover a security vulnerability in E2B Fragments, please report it responsibly:

• Email: [email protected]
• Subject: [SECURITY] E2B Fragments Vulnerability Report

Please include the following information:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Suggested fix (if available)
• Your contact information

• Initial Response: Within 24 hours
• Assessment: Within 72 hours
• Fix Development: Within 7 days (critical), 30 days (others)
• Public Disclosure: After fix deployment + 14 days

• CSP Headers: Content Security Policy implemented
• HSTS: HTTP Strict Transport Security enabled
• XSS Protection: X-XSS-Protection headers set
• MIME Sniffing: X-Content-Type-Options protection
• Clickjacking: X-Frame-Options protection

• Rate Limiting: Implemented for all API endpoints
• Input Validation: Zod schema validation for all inputs
• Authentication: Supabase-based secure authentication
• Authorization: User-based access controls

• Sandboxing: E2B isolated execution environments
• HTTPS: TLS encryption for all communications
• Environment Variables: Sensitive data isolated
• Resource Limits: CPU and memory constraints

• Structured Logging: JSON-based production logs
• Security Events: Special security event tracking
• Error Handling: Graceful error management
• Audit Trail: API request logging

# ❌ Never commit these files
.env
.env.local
.env.production

# ✅ Use .env.example instead
cp .env.example .env

// ❌ Never hardcode API keys
const apiKey = "sk-1234567890"

// ✅ Use environment variables
const apiKey = process.env.OPENAI_API_KEY

// ✅ Always validate inputs
const schema = z.object({
  message: z.string().min(1).max(1000),
  userId: z.string().uuid()
})

const result = schema.parse(userInput)

// ❌ Don't log sensitive data
logger.info('User login', { password: userPassword })

// ✅ Sanitize sensitive information
logger.info('User login', { userId: user.id })

• Use HTTPS everywhere
• Enable all security headers
• Set up proper CORS policies
• Configure rate limiting
• Monitor for suspicious activities

• Use environment variables for secrets
• Rotate API keys regularly
• Implement least privilege access
• Use secure secret storage services

• All environment variables configured
• API keys rotated and secured
• Security headers implemented
• Rate limiting configured
• Input validation in place
• Error handling implemented
• Logging configured
• HTTPS enabled

• Dependency security audit (monthly)
• API key rotation (quarterly)
• Security review (quarterly)
• Penetration testing (annually)

• E2B Sandboxes: Code execution in isolated environments
• AI APIs: External API calls to LLM providers
• Supabase: Third-party authentication service
• PostHog: Analytics data collection

• All third-party integrations use official SDKs
• API keys are properly scoped and rotated
• User data is sanitized before external calls
• Monitoring for abnormal usage patterns

This security policy applies to:

• E2B Fragments application code
• Deployment configurations
• Third-party integrations
• User data handling

• Third-party service vulnerabilities (report to respective vendors)
• Social engineering attacks
• Physical security issues
• DoS attacks using automated tools

We support security research and will not pursue legal action against researchers who:

• Report vulnerabilities responsibly
• Do not access or modify user data
• Do not perform destructive testing
• Comply with all applicable laws

We recognize security researchers who help improve our security:

No reports yet - be the first!

• OWASP Top 10
• Next.js Security
• E2B Security
• Supabase Security

Last Updated: June 2025
Version: 1.0