| Version | Supported |
|---|---|
main |
✅ |
v1.1.x |
✅ |
v1.0.x |
✅ |
< v1.0 |
❌ |
Security fixes are back-ported to the latest two minor releases.
Do not file a public issue for security vulnerabilities.
Email security@alexi5000.com with:
- A clear description of the issue and its impact.
- Reproduction steps or a proof-of-concept.
- Suggested severity (CVSS v3 if you have one).
- Whether you'd like public credit in the advisory.
You should hear back within three business days. We will work with you to confirm the issue, agree on a fix timeline, and coordinate disclosure. We follow responsible disclosure: we publish a GHSA advisory once a fix is available or after 90 days, whichever comes first.
Once we confirm a vulnerability, we will:
- Open a private GitHub Security Advisory.
- Cut a fix on a maintenance branch.
- Notify you when the fix is merged.
- Publish the advisory with a CVE reference.
- Add a credit line if you want one.
- Denial-of-service attacks against a public deployment you do not own.
- Social engineering of maintainers.
- Reports about missing security headers on third-party hosts (e.g. Streamlit Cloud) — those are operator-side decisions.
- Rotate
GROQ_API_KEYperiodically and on personnel changes. - Use a private
DATABASE_PATHon a filesystem that supports WAL (mode = walis the default). - Set
APP_ENV=productionand neverDEBUG=truetogether. - Front the Streamlit UI with an authenticating reverse proxy when exposing it beyond localhost.
- Keep
.envand.streamlit/secrets.tomlout of version control (already in.gitignore).