We take security seriously and actively maintain the following versions:

We recommend always using the latest version to ensure you have the most recent security patches and updates.

Please do NOT report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability, please report it to:

Email: prateek@llmhub.dev

Subject: [SECURITY] Brief description of the issue

Please provide as much information as possible to help us understand and resolve the issue:

1. Description: Clear description of the vulnerability
2. Impact: What could an attacker achieve?
3. Steps to Reproduce: Detailed steps to reproduce the issue
4. Proof of Concept: Code snippets, screenshots, or logs
5. Environment: OS, browser, Node.js/Python versions
6. Suggested Fix: If you have ideas on how to fix it
7. Severity: Your assessment of the severity (Critical/High/Medium/Low)

Subject: [SECURITY] SQL Injection in user profile endpoint
Description:
The /api/user/profile endpoint is vulnerable to SQL injection through the
'username' parameter.
Impact:
An attacker could read, modify, or delete database records, potentially
accessing sensitive user data or taking over accounts.
Steps to Reproduce:
1. Navigate to http://localhost:3000/api/user/profile
2. Send POST request with payload: {"username": "admin' OR '1'='1"}
3. Observe unauthorized data access
Proof of Concept:
[Attach screenshot or code snippet]
Environment:
- OS: Ubuntu 22.04
- Node.js: 20.10.0
- Browser: Chrome 120
Severity: Critical

1. Acknowledgment: We'll acknowledge receipt within 24 hours
2. Initial Assessment: We'll assess severity and impact within 48 hours
3. Status Updates: We'll keep you informed of our progress
4. Fix Development: We'll work on a fix and coordinate disclosure timing
5. Public Disclosure: We'll publicly disclose after the fix is deployed

• Critical vulnerabilities: Fix within 7 days
• High severity: Fix within 14 days
• Medium severity: Fix within 30 days
• Low severity: Fix in next regular release

• Supabase Auth with Row Level Security (RLS)
• JWT-based session management
• Encrypted API keys storage (BYOK)
• CSRF protection on all state-changing operations

• API keys encrypted with AES-256 (ENCRYPTION_KEY)
• Passwords hashed with bcrypt
• Secure session cookies (httpOnly, secure, sameSite)
• Environment variables for sensitive data

• Docker container sandboxing
• Network isolation options
• Resource limits (CPU, memory, disk)
• Ephemeral environments (no data persistence)
• Automated cleanup after sessions

• Pydantic models for request validation
• TypeScript strict mode
• SQL injection prevention (parameterized queries)
• XSS protection (sanitized outputs)
• File path validation

• API endpoint rate limiting
• WebSocket connection limits
• VM creation throttling
• Resource usage monitoring

• Security event logging
• Error tracking
• Access logs (anonymized)
• Anomaly detection

1. Environment Variables

   • Never commit .env files
   • Use .env.example as a template
   • Rotate credentials regularly
   • Use strong, unique passwords

2. API Keys

   • Store in environment variables only
   • Enable encryption (ENCRYPTION_KEY)
   • Never log API keys
   • Use least-privilege access

3. VM Security

   • Don't store sensitive data in VMs
   • Use isolated networks when possible
   • Monitor resource usage
   • Clean up containers regularly

4. Code Security

   • Review generated commands before execution
   • Validate all user inputs
   • Use parameterized queries
   • Sanitize file paths
   • Keep dependencies updated

1. Network Security

   • Use HTTPS in production
   • Configure firewall rules
   • Restrict VM network access
   • Use VPNs for remote access

2. Container Security

   • Keep Docker images updated
   • Use non-root users in containers
   • Scan images for vulnerabilities
   • Limit container capabilities

3. Database Security

   • Enable Supabase RLS policies
   • Use strong database passwords
   • Backup regularly
   • Monitor access logs

4. Server Hardening

   • Keep OS and packages updated
   • Disable unnecessary services
   • Configure fail2ban or similar
   • Use SSH keys (not passwords)

1. VM Access: Agents have full control within VMs by design
2. Command Execution: Terminal agent can execute any command
3. Browser Automation: Browser agent can visit any website
4. User Responsibility: Users are responsible for agent actions

• VMs are isolated and ephemeral
• Resource limits prevent abuse
• Rate limiting prevents spam
• Monitoring detects anomalies
• User consent required for actions

We follow coordinated disclosure:

1. Report received: Vulnerability reported privately
2. Fix developed: We develop and test a fix
3. Fix deployed: Patch released to all users
4. Public disclosure: Details published after 90 days

We appreciate security researchers who help keep our users safe:

• Hall of Fame: Public recognition on our website
• Credit: Listed in release notes and security advisories
• Swag: Open Computer Use swag for significant findings

Note: We currently don't offer a bug bounty program, but we deeply value your contributions.

Security advisories will be published at:

• GitHub Security Advisories
• Release notes
• Discord announcements
• Email to registered users

Subscribe to our GitHub releases to stay informed.

• GitHub: Security advisories and releases
• Discord: #security-updates channel
• Email: Critical alerts to registered users
• Twitter: @llmhub_dev for major updates

1. Update regularly: git pull && npm install && pip install -r requirements.txt
2. Watch releases: Enable GitHub notifications
3. Join Discord: Get real-time security updates
4. Review changelog: Check CHANGELOG.md for security fixes

• OWASP Top 10: Web application security risks
• CWE Top 25: Common software weaknesses
• NIST Cybersecurity Framework: Security best practices
• GDPR: Data protection and privacy (for EU users)
• CCPA: Privacy rights (for California users)

We're working towards:

• SOC 2 Type II compliance
• ISO 27001 certification
• GDPR compliance audit

We plan to conduct regular security audits as the project grows.

• Security Lead: Prateek Jannu (prateek@llmhub.dev)
• General Security: prateek@llmhub.dev
• PGP Key: [Coming soon]

Our security team includes:

• Core maintainers
• Security advisors
• Community contributors

• Responsible Use Guidelines
• Contributing Guide
• Privacy Policy
• Terms of Service

• OWASP Cheat Sheets
• Docker Security Best Practices
• Supabase Security
• Node.js Security Best Practices

Have questions about our security practices?

• Email: security@llmhub.dev
• Discord: Join our server
• Discussions: GitHub Discussions

Thank you for helping keep Open Computer Use and our users safe! 🔒

Last updated: October 2025