We provide security updates for the following versions of CadentialAI:
| Version | Supported |
|---|---|
| 2.x.x | β |
| 1.x.x | β |
If you discover a security vulnerability in CadentialAI, please help us maintain a secure environment by reporting it responsibly.
Please do NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security issues by:
- Email: Send details to [SECURITY_EMAIL] (replace with your email)
- Private Issue: Create a private security advisory on GitHub
When reporting a security vulnerability, please include:
- Description: Clear description of the vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Impact: Potential impact and attack scenarios
- Environment: Windows version, Python version, CadentialAI version
- Screenshots/Logs: If applicable (remove sensitive information)
- Initial Response: Within 48 hours
- Assessment: Within 7 days
- Fix Development: Varies based on complexity
- Public Disclosure: After fix is released (coordinated disclosure)
- API Keys: Store API keys securely, never commit them to version control
- Configuration: Keep configuration files with sensitive data private
- Updates: Keep CadentialAI and dependencies up to date
- Permissions: Run with minimal required permissions
- Network: Be cautious about network requests and data transmission
- Input Validation: Always validate and sanitize inputs
- Dependencies: Regularly update and audit dependencies
- Secrets Management: Use environment variables or secure vaults for secrets
- Code Review: Review code changes for security implications
- Testing: Include security testing in your test suite
- CadentialAI uses Windows APIs and automation which require elevated permissions
- Screen capture and UI automation may capture sensitive information
- Network requests are made to AI service providers
- User commands and screen content may be sent to AI services
- Local logs may contain sensitive information
- Configuration files may contain API keys and personal settings
- Commands are sent to external AI services (OpenAI, Azure, etc.)
- Consider data privacy implications of cloud AI services
- Review AI service privacy policies and terms
Security updates will be:
- Released as soon as possible after validation
- Documented in release notes
- Announced through GitHub releases
- Tagged with security labels
We believe in responsible disclosure and will:
- Work with researchers to understand and fix vulnerabilities
- Provide credit to reporters (if desired)
- Coordinate public disclosure timing
- Maintain transparency about security practices
For security-related questions or concerns:
- Security Issues: Use private reporting methods above
- General Security Questions: Create a GitHub discussion
- Security Best Practices: Check documentation or ask in discussions
Thank you for helping keep CadentialAI secure! π‘οΈ