scanash.com / aethel
Aethel Bot OSS repository! aethel.xyz
bot fun ai discord discord-bot aethel
fork atom
aethel / SECURITY.md
at dev 3.1 kB view raw view code

Security Policy#

Supported Versions#

We actively maintain and provide security updates for the following versions:

Version Supported
Latest
< Latest

Reporting a Vulnerability#

We take security vulnerabilities seriously. If you discover a security vulnerability in Aethel, please report it responsibly.

How to Report#

  1. Do NOT create a public GitHub issue for security vulnerabilities
  2. Send an email to the project maintainers with:
    • A clear description of the vulnerability
    • Steps to reproduce the issue
    • Potential impact assessment
    • Any suggested fixes (if available)

What to Expect#

  • Acknowledgment: We will acknowledge receipt of your report within 48 hours
  • Initial Assessment: We will provide an initial assessment within 5 business days
  • Updates: We will keep you informed of our progress throughout the investigation
  • Resolution: We aim to resolve critical vulnerabilities within 30 days

Responsible Disclosure#

We follow responsible disclosure practices:

  • We will work with you to understand and resolve the issue
  • We will credit you for the discovery (unless you prefer to remain anonymous)
  • We ask that you do not publicly disclose the vulnerability until we have had a chance to address it

Security Measures#

Current Security Implementations#

  • SSRF Protection: API endpoints are restricted to whitelisted hosts to prevent Server-Side Request Forgery attacks
  • Input Validation: All user inputs are validated and sanitized
  • Encryption: Sensitive data like API keys are encrypted before storage
  • Authentication: Secure token-based authentication for API access
  • Rate Limiting: Protection against abuse and DoS attacks

Allowed API Hosts#

For security reasons, custom API endpoints are restricted to the following trusted hosts:

  • api.openai.com
  • openrouter.ai
  • generativelanguage.googleapis.com

Security Best Practices#

When contributing to or using Aethel:

  1. Never commit secrets: Do not include API keys, passwords, or other sensitive information in code
  2. Use environment variables: Store sensitive configuration in environment variables
  3. Validate inputs: Always validate and sanitize user inputs
  4. Follow least privilege: Grant minimal necessary permissions
  5. Keep dependencies updated: Regularly update dependencies to patch known vulnerabilities

Security Audits#

We regularly review our codebase for security vulnerabilities and welcome security audits from the community.

Automated Security Checks#

  • Dependabot: Automatically monitors and updates vulnerable dependencies
  • CodeQL: Static analysis for security vulnerabilities
  • ESLint Security Rules: Linting rules to catch common security issues

Contact#

For security-related questions or concerns, please contact the project maintainers at scan@scanash.com

Note: This security policy is subject to change. Please check back regularly for updates.