We release patches for security vulnerabilities in the following versions:

We take the security of Hive seriously. If you believe you have found a security vulnerability, please report it to us as described below.

• Do not create a public GitHub issue for security vulnerabilities
• Do not disclose the vulnerability publicly until we've had a chance to address it

• Email us at morapelker@gmail.com with details of the vulnerability
• Include as much information as possible:
  • Type of vulnerability (e.g., remote code execution, SQL injection, cross-site scripting)
  • Full paths of source file(s) related to the vulnerability
  • Location of the affected source code (tag/branch/commit or direct URL)
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the issue, including how an attacker might exploit it

After you submit a vulnerability report:

1. Acknowledgment: We'll acknowledge receipt of your report within 48 hours
2. Assessment: We'll investigate and validate the issue within 7 days
3. Resolution: We'll work on a fix and coordinate a release timeline with you
4. Credit: We'll credit you for the discovery (unless you prefer to remain anonymous)

• We aim to patch confirmed vulnerabilities within 30 days
• We'll coordinate public disclosure with you after a fix is available
• We'll publish a security advisory on GitHub when appropriate

To keep your Hive installation secure:

• Always run the latest version of Hive
• Enable automatic updates if available
• Check for updates regularly via brew upgrade hive

• Keep your git repositories secure
• Use strong passwords for any integrated services
• Be cautious with AI API keys and tokens
• Review permissions when running AI coding sessions

• Keep macOS updated with the latest security patches
• Use full disk encryption (FileVault)
• Enable firewall if working in public networks
• Regularly backup your ~/.hive directory

• Review tool permissions before approving AI actions
• Be cautious with AI agents accessing sensitive files
• Don't share session logs containing sensitive data
• Rotate API keys periodically

Hive implements several security measures:

• Context Isolation: Enabled to prevent renderer access to Node.js
• Sandbox Mode: Renderer processes run in a sandbox
• Node Integration: Disabled in renderer for security
• Content Security Policy: Restricts resource loading
• HTTPS Only: External resources loaded via HTTPS only

• Local Storage Only: All data stored locally in ~/.hive
• SQLite Encryption: Optional database encryption support
• Secure IPC: Type-safe IPC communication between processes
• Permission System: AI agents require explicit permission for sensitive operations

• macOS Notarization: App is notarized by Apple
• Hardened Runtime: Enhanced runtime security on macOS
• Automatic Updates: Signed updates via GitHub releases

• We regularly update dependencies to patch known vulnerabilities
• Run pnpm audit to check for known issues in dependencies
• We use Dependabot to monitor and update dependencies

• AI sessions run with the same permissions as the user
• Always review AI-generated code before executing
• Be cautious with AI agents that request file system access
• API keys are stored locally and never transmitted to our servers

We're grateful to the security researchers who have helped make Hive more secure:

• Your name could be here!

If you have questions about this security policy, please:

• Open a discussion (for non-sensitive topics)
• Email us at morapelker@gmail.com (for sensitive topics)

Thank you for helping keep Hive and its users safe!