Skip to content

Security: kar-ganap/processor-comp-aibot

Security

SECURITY.md

Security Policy

Overview

AIBot requires three types of API credentials to function:

  1. OpenAI API Key
  2. Google Cloud Service Account Credentials
  3. YouTube Data API Key

CRITICAL: If you're setting up this project, the old API keys that were previously hardcoded in the source code have been REMOVED and should be considered COMPROMISED. You MUST generate new credentials.

Immediate Action Required

If You Previously Cloned/Forked This Repository

The following credentials were previously exposed in the codebase and MUST BE ROTATED IMMEDIATELY:

  1. OpenAI API Key: sk-zIA0... (partial key shown)
  2. YouTube Data API Key: AIzaSy... (partial key shown)
  3. Google Cloud Service Account: aibot-413801-a9f5d559eb28.json

Security Incident Response

If you believe these credentials may have been used:

  1. Immediately revoke all exposed API keys
  2. Generate new credentials (instructions below)
  3. Review API usage logs for suspicious activity:
  4. Set up billing alerts to detect unusual usage
  5. Enable API restrictions (IP whitelisting, usage quotas)

Rotating Compromised Credentials

1. OpenAI API Key

Revoke Old Key

  1. Go to https://platform.openai.com/api-keys
  2. Find the compromised key (check last 4 characters if needed)
  3. Click the delete/revoke button
  4. Confirm revocation

Generate New Key

  1. Visit https://platform.openai.com/api-keys
  2. Click "Create new secret key"
  3. Name it something descriptive (e.g., "aibot-production-2024")
  4. IMMEDIATELY COPY THE KEY (you won't be able to see it again)
  5. Store it securely in your .env file: 
    OPENAI_API_KEY=sk-your-new-key-here

Secure Your OpenAI Account

  1. Enable two-factor authentication
  2. Set usage limits: https://platform.openai.com/account/limits
  3. Set up billing alerts
  4. Consider creating separate keys for dev/production environments

2. Google Cloud Service Account

Disable Old Service Account

  1. Go to https://console.cloud.google.com/iam-admin/serviceaccounts
  2. Select your project (was: aibot-413801)
  3. Find the service account: kartik-s-cloud-vision-api@aibot-413801.iam.gserviceaccount.com
  4. Click the three-dot menu → "Disable"
  5. Delete all associated keys

Create New Service Account

  1. Go to https://console.cloud.google.com/iam-admin/serviceaccounts
  2. Click "Create Service Account"
  3. Name: aibot-secure-service-account
  4. Description: "Service account for AIBot competitive analysis tool"
  5. Click "Create and Continue"

Grant Appropriate Permissions

Assign ONLY the following roles (principle of least privilege):

  • Cloud Vision API User (roles/cloudvision.user)
  • Cloud Speech Client (roles/speech.client)
  • Storage Object Viewer (roles/storage.objectViewer) - if using Cloud Storage

DO NOT grant overly broad roles like "Editor" or "Owner".

Generate and Download Key

  1. Click on the newly created service account
  2. Go to the "Keys" tab
  3. Click "Add Key" → "Create new key"
  4. Choose JSON format
  5. Click "Create" (key file will download automatically)
  6. Move the JSON file to a secure location OUTSIDE your project directory
  7. Update your .env file: 
    GOOGLE_APPLICATION_CREDENTIALS=/secure/path/to/your-service-account-key.json

Secure Your Google Cloud Project

  1. Enable two-factor authentication on your Google account
  2. Set up billing alerts
  3. Enable Cloud Audit Logs
  4. Restrict service account key creation (if in an organization)
  5. Rotate service account keys regularly (every 90 days recommended)

3. YouTube Data API Key

Delete Old API Key

  1. Go to https://console.cloud.google.com/apis/credentials
  2. Select your project
  3. Find the compromised API key (check last 4 characters: J9s)
  4. Click the delete icon
  5. Confirm deletion

Create New API Key

  1. Go to https://console.cloud.google.com/apis/credentials
  2. Click "Create Credentials" → "API Key"
  3. Copy the generated key immediately
  4. Click "Restrict Key" (IMPORTANT - see below)

Restrict API Key (Critical for Security)

  1. Application restrictions:

    • Option A: HTTP referrers (if running on a web server)
    • Option B: IP addresses (if running on known servers)
    • Option C: None (only for local development - NOT recommended for production)

  2. API restrictions:

    • Select "Restrict key"
    • Check ONLY "YouTube Data API v3"
    • Uncheck all other APIs

  3. Click "Save"

  4. Update your .env file:

    YOUTUBE_API_KEY=your-new-restricted-key-here

Set Usage Quotas

  1. Go to https://console.cloud.google.com/apis/api/youtube.googleapis.com/quotas
  2. Set daily quota limits (default is 10,000 units/day)
  3. Adjust based on your needs

Best Practices for Credential Management

DO:

✅ Store credentials in .env file (excluded from git via .gitignore) ✅ Use environment variables for all sensitive data ✅ Rotate credentials regularly (every 90 days minimum) ✅ Set up billing alerts and usage monitoring ✅ Use separate credentials for dev/staging/production ✅ Enable two-factor authentication on all cloud accounts ✅ Review API usage logs regularly ✅ Apply principle of least privilege (minimal permissions needed) ✅ Use API restrictions (IP whitelisting, referrer restrictions) ✅ Keep credentials encrypted at rest if stored long-term

DO NOT:

❌ Commit .env files to version control ❌ Hardcode credentials in source code ❌ Share credentials via email, Slack, or other messaging ❌ Use the same credentials across multiple projects ❌ Grant overly broad permissions to service accounts ❌ Store credentials in plaintext on shared drives ❌ Take screenshots containing credentials ❌ Paste credentials in support tickets or public forums ❌ Use compromised credentials "temporarily"

Setting Up Secure Credentials for New Users

Step 1: Copy the template

cp .env.example .env

Step 2: Generate fresh credentials

Follow the instructions above to create:

  1. New OpenAI API key
  2. New Google Cloud service account
  3. New YouTube Data API key

Step 3: Update .env file

Edit .env and fill in your credentials:

# OpenAI API Configuration
OPENAI_API_KEY=sk-your-new-openai-key-here

# Google Cloud Configuration
GOOGLE_APPLICATION_CREDENTIALS=/absolute/path/to/your-service-account.json

# YouTube Data API
YOUTUBE_API_KEY=your-new-youtube-api-key-here

Step 4: Set proper file permissions

On Unix/Linux/macOS:

chmod 600 .env

This ensures only you can read/write the file.

Step 5: Verify credentials are not tracked

git status

The .env file should NOT appear in the output. If it does, ensure .gitignore is configured correctly.

Monitoring and Alerts

OpenAI

  1. Set up usage alerts: https://platform.openai.com/account/limits
  2. Review usage: https://platform.openai.com/usage
  3. Monitor costs: https://platform.openai.com/account/billing/overview

Google Cloud

  1. Set up billing alerts: https://console.cloud.google.com/billing/alerts
  2. Enable Cloud Audit Logs: https://console.cloud.google.com/iam-admin/audit
  3. Monitor API usage: https://console.cloud.google.com/apis/dashboard

YouTube Data API

  1. Monitor quota usage: https://console.cloud.google.com/apis/api/youtube.googleapis.com/quotas
  2. Set up billing alerts (if paid plan)
  3. Review access logs regularly

Incident Response

If you suspect a credential has been compromised:

  1. IMMEDIATELY REVOKE the compromised credential
  2. GENERATE NEW credentials following the steps above
  3. REVIEW LOGS for unauthorized usage
  4. ASSESS IMPACT - check for data access or API usage spikes
  5. UPDATE MONITORING - set up alerts to detect future breaches
  6. DOCUMENT - record what happened and how it was resolved
  7. LEARN - update security practices to prevent recurrence

Contact

For security concerns or to report vulnerabilities:

  • Email: [Your security contact email]
  • Security page: [Your security page URL]

Additional Resources

Last Updated: 2025-10-26

Note: This security policy should be reviewed and updated regularly as security practices and API features evolve.

There aren’t any published security advisories