Add Proposed Fix for Issue #58 (Account Deletion IDOR)

reports/account-deletion-idor-placeholder.md

@@ -0,0 +1,24 @@
+# Placeholder Submission for Issue #58: IDOR on Account Deletion
+
+This pull request serves as a placeholder for the vulnerability reported at: [AIxBlock-2023#58](https://github.com/AIxBlock-2023/awesome-ai-dev-platform-opensource/issues/58)
+
+The issue describes an Insecure Direct Object Reference (IDOR) vulnerability in the account deletion endpoint: DELETE https://app.aixblock.io/api/users/{user_id}
+
+Any authenticated user can delete another user's account by changing the `user_id` in the request. The server does not verify whether the requestor actually owns the account, and it deletes the target account permanently without any confirmation or access control validation.
+
+** Proposed Fix **
+
+To mitigate this vulnerability:
+
+- Implement strict authorization checks so that only the **account owner** can initiate a deletion request for their own account.
+- If a user attempts to delete another user's account, return a `403 Forbidden` error with a clear message.
+
+### Example Unauthorized Response:
+
+```http
+HTTP/2 403 Forbidden
+{
+  "status_code": 403,
+  "detail": "You are not allowed to delete this account."
+}
+

reports/internal-metadata-exposure.md

@@ -0,0 +1,7 @@
+This pull request is a placeholder related to the infrastructure metadata exposure issue I reported in issue #116.
+
+The endpoint `https://app.aixblock.io/api/settings/installation-service/` reveals internal configuration data such as Docker image names, environment types, registry URLs, and version info — all of which should ideally be restricted to internal or admin roles.
+
+This placeholder commit is made from my fork as part of the official submission requirements.
+
+Looking forward to any feedback or next steps. Thank you!