Aethel Bot OSS repository!
aethel.xyz
scanash.com
bot
fun
ai
discord
discord-bot
aethel
1# Security Policy
2
3## Supported Versions
4
5We actively maintain and provide security updates for the following versions:
6
7| Version | Supported |
8| -------- | ------------------ |
9| Latest | :white_check_mark: |
10| < Latest | :x: |
11
12## Reporting a Vulnerability
13
14We take security vulnerabilities seriously. If you discover a security
15vulnerability in Aethel, please report it responsibly.
16
17### How to Report
18
191. **Do NOT** create a public GitHub issue for security vulnerabilities
202. Send an email to the project maintainers with:
21 - A clear description of the vulnerability
22 - Steps to reproduce the issue
23 - Potential impact assessment
24 - Any suggested fixes (if available)
25
26### What to Expect
27
28- **Acknowledgment**: We will acknowledge receipt of your report within 48 hours
29- **Initial Assessment**: We will provide an initial assessment within 5
30 business days
31- **Updates**: We will keep you informed of our progress throughout the
32 investigation
33- **Resolution**: We aim to resolve critical vulnerabilities within 30 days
34
35### Responsible Disclosure
36
37We follow responsible disclosure practices:
38
39- We will work with you to understand and resolve the issue
40- We will credit you for the discovery (unless you prefer to remain anonymous)
41- We ask that you do not publicly disclose the vulnerability until we have had a
42 chance to address it
43
44## Security Measures
45
46### Current Security Implementations
47
48- **SSRF Protection**: API endpoints are restricted to whitelisted hosts to
49 prevent Server-Side Request Forgery attacks
50- **Input Validation**: All user inputs are validated and sanitized
51- **Encryption**: Sensitive data like API keys are encrypted before storage
52- **Authentication**: Secure token-based authentication for API access
53- **Rate Limiting**: Protection against abuse and DoS attacks
54
55### Allowed API Hosts
56
57For security reasons, custom API endpoints are restricted to the following
58trusted hosts:
59
60- `api.openai.com`
61- `openrouter.ai`
62- `generativelanguage.googleapis.com`
63
64### Security Best Practices
65
66When contributing to or using Aethel:
67
681. **Never commit secrets**: Do not include API keys, passwords, or other
69 sensitive information in code
702. **Use environment variables**: Store sensitive configuration in environment
71 variables
723. **Validate inputs**: Always validate and sanitize user inputs
734. **Follow least privilege**: Grant minimal necessary permissions
745. **Keep dependencies updated**: Regularly update dependencies to patch known
75 vulnerabilities
76
77## Security Audits
78
79We regularly review our codebase for security vulnerabilities and welcome
80security audits from the community.
81
82### Automated Security Checks
83
84- **Dependabot**: Automatically monitors and updates vulnerable dependencies
85- **CodeQL**: Static analysis for security vulnerabilities
86- **ESLint Security Rules**: Linting rules to catch common security issues
87
88## Contact
89
90For security-related questions or concerns, please contact the project
91maintainers at scan@scanash.com
92
93---
94
95**Note**: This security policy is subject to change. Please check back regularly
96for updates.