We take the security of Acara Plate and the privacy of our users' health data seriously. We appreciate the community's help in disclosing vulnerabilities responsibly.
As this project is under active development, we generally only support the latest released version and the main branch.
| Version | Supported | Notes |
|---|---|---|
| Latest Release | ✅ | |
| Main Branch | ✅ | |
| < 1.0.0 | ❌ | Development versions are unsupported |
Please do NOT report security vulnerabilities via public GitHub issues.
If you have discovered a security vulnerability in Acara Plate (e.g., XSS, SQL Injection, Authorization Bypass, or Data Leakage), please report it privately.
We use GitHub's Private Vulnerability Reporting feature. This allows you to open a private advisory that only repository maintainers can see.
- Go to the Security tab in the repository.
- Click "Report a vulnerability".
- Fill out the details.
If you cannot use GitHub Private Reporting, please email us at: team@acara.app
Please include:
- A description of the vulnerability.
- Steps to reproduce the issue.
- Impact of the vulnerability.
- Any proof-of-concept code or screenshots.
We are committed to addressing security issues promptly:
- Acknowledgment: We will acknowledge receipt of your report within 48 hours.
- Assessment: We will confirm the validity of the issue within 5-7 days.
- Fix: We will aim to patch critical vulnerabilities as soon as possible and release a security update.
- Authentication and Authorization bypasses.
- Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF).
- SQL Injection or Database exposure.
- Exposure of sensitive environment variables (e.g., API Keys).
- Leakage of private user health data (Glucose logs, Biometrics).
- AI Hallucinations: Incorrect nutritional advice or recipes generated by any configured LLM provider (OpenAI, Anthropic Claude, Google Gemini, DeepSeek, Groq, Mistral, etc.) are considered "Functional Bugs," not security vulnerabilities. Please report these via standard GitHub Issues.
- Attacks requiring physical access to the user's device.
- Social engineering or phishing attacks.
- "Self-XSS" (requiring the user to paste code into their own browser).
Acara Plate stores sensitive data (Blood Glucose Readings, Biometrics). While this is an open-source project often run locally, we treat the code architecture with high security standards to protect this data. We welcome audits specifically targeting the GlucoseReading and User models to ensure tenant isolation is strictly enforced.
Thank you for helping keep the Acara Plate community safe.