We actively maintain and provide security updates for the following versions:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability in Aethel, please report it responsibly.
- Do NOT create a public GitHub issue for security vulnerabilities
- Send an email to the project maintainers with:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes (if available)
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Initial Assessment: We will provide an initial assessment within 5 business days
- Updates: We will keep you informed of our progress throughout the investigation
- Resolution: We aim to resolve critical vulnerabilities within 30 days
We follow responsible disclosure practices:
- We will work with you to understand and resolve the issue
- We will credit you for the discovery (unless you prefer to remain anonymous)
- We ask that you do not publicly disclose the vulnerability until we have had a chance to address it
- SSRF Protection: API endpoints are restricted to whitelisted hosts to prevent Server-Side Request Forgery attacks
- Input Validation: All user inputs are validated and sanitized
- Encryption: Sensitive data like API keys are encrypted before storage
- Authentication: Secure token-based authentication for API access
- Rate Limiting: Protection against abuse and DoS attacks
For security reasons, custom API endpoints are restricted to the following trusted hosts:
api.openai.comopenrouter.aigenerativelanguage.googleapis.com
When contributing to or using Aethel:
- Never commit secrets: Do not include API keys, passwords, or other sensitive information in code
- Use environment variables: Store sensitive configuration in environment variables
- Validate inputs: Always validate and sanitize user inputs
- Follow least privilege: Grant minimal necessary permissions
- Keep dependencies updated: Regularly update dependencies to patch known vulnerabilities
We regularly review our codebase for security vulnerabilities and welcome security audits from the community.
- Dependabot: Automatically monitors and updates vulnerable dependencies
- CodeQL: Static analysis for security vulnerabilities
- ESLint Security Rules: Linting rules to catch common security issues
For security-related questions or concerns, please contact the project maintainers at scan@scanash.com
Note: This security policy is subject to change. Please check back regularly for updates.