We actively support the following versions with security updates:

v0.5.0+ License Change: Starting with v0.5.0, ChittyCan will use AGPL v3 (with commercial licensing option). See LICENSE_STRATEGY.md.

Please DO NOT report security vulnerabilities through public GitHub issues.

1. Go to https://github.com/chittycorp/chittycan/security/advisories/new
2. Click "Report a vulnerability"
3. Fill out the form with:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if you have one)

Email security reports to: security@chitty.cc

Include:

• Description of the vulnerability
• Steps to reproduce
• Affected versions
• Potential impact
• Your contact information (for follow-up)

• Initial Response: Within 24 hours
• Confirmation: Within 48 hours (we'll confirm if it's a valid vulnerability)
• Updates: We'll keep you informed of our progress
• Fix Timeline: Critical issues within 7 days, high priority within 14 days
• Disclosure: We'll coordinate disclosure timing with you

• We follow coordinated disclosure
• We'll work with you to understand and fix the issue
• We'll credit you in the security advisory (unless you prefer anonymity)
• Please give us reasonable time to fix before public disclosure

API Keys and Tokens

# ✅ GOOD: Store credentials in config file (not tracked by git)
can config  # Stores in ~/.config/chitty/config.json

# ❌ BAD: Don't commit credentials
git add config.json  # If it contains API keys

File Permissions

# Ensure config file is only readable by you
chmod 600 ~/.config/chitty/config.json

Token Security

# Use environment variables for sensitive operations
export CHITTYCAN_TOKEN=your_token
export OPENAI_API_KEY=your_key

# Don't expose tokens in command output
can config  # Masks sensitive values with ****

Gateway Security

# Use HTTPS for production gateways
openai.api_base = "https://gateway.example.com/v1"  # ✅
openai.api_base = "http://gateway.example.com/v1"   # ❌

# Enable OAuth for team deployments
can config
# → AI Platform → Gateway → OAuth: enabled

Dependencies

# Audit dependencies before submitting PRs
npm audit

# Fix critical/high vulnerabilities
npm audit fix

Secrets in Code

# ✅ GOOD: Use environment variables
const apiKey = process.env.CHITTYCAN_TOKEN;

# ❌ BAD: Hardcoded secrets
const apiKey = "sk-1234567890";  // NEVER DO THIS

Input Validation

// ✅ GOOD: Validate all user input
function validateUrl(url: string): boolean {
  try {
    const parsed = new URL(url);
    return parsed.protocol === 'https:';
  } catch {
    return false;
  }
}

// ❌ BAD: Trust user input
const url = userInput;  // Potential injection

Secure Token Storage

// ✅ GOOD: Hash tokens before storing
import crypto from 'crypto';
const hash = crypto.createHash('sha256').update(token).digest('hex');

// ❌ BAD: Store plaintext tokens
const storedToken = token;  // Vulnerable if config leaked

ChittyCan stores API keys and tokens in ~/.config/chitty/config.json.

Risks:

• If an attacker gains access to your filesystem, they can read your API keys
• Config file is stored in plaintext

Mitigations:

• File permissions are set to 600 (user read/write only)
• Use environment variables for CI/CD: CHITTYCAN_TOKEN, OPENAI_API_KEY, etc.
• For team deployments, use OAuth tokens (can be revoked)

ChittyCan gateway uses token-based authentication.

Risks:

• Tokens transmitted in HTTP headers
• Tokens stored in gateway database

Mitigations:

• Always use HTTPS in production
• Tokens are hashed (SHA-256) before database storage
• Tokens can be revoked via gateway admin
• OAuth flow for team deployments

We take dependency security seriously:

• Weekly npm audit runs via GitHub Actions
• Dependabot enabled for automatic PR updates
• Critical vulnerabilities fixed within 48 hours

Current State (v0.4.0):

• No rate limiting by default
• Gateway tiers have request limits (Free: 1000/day)

Risks:

• Unprotected gateways could be abused
• Denial of service via excessive requests

Mitigations (v0.5.0+):

• Request rate limiting per IP
• Token-based quotas
• Budget controls (daily/monthly limits)

• ✅ Token hashing (SHA-256)
• ✅ HTTPS enforcement for production
• ✅ Config file permissions (600)
• ✅ OAuth support in gateway
• ✅ Dependency auditing

• 🚧 Rate limiting per IP/token
• 🚧 Request/response logging for audit
• 🚧 Multi-factor authentication for gateway admin
• 🚧 Webhook signature verification
• 🚧 Enhanced RBAC for team features

• 📋 Security audit trail
• 📋 Anomaly detection (unusual API usage)
• 📋 Secrets rotation automation
• 📋 SOC 2 compliance (Enterprise tier)

Status: Not currently available

We're a small open-source project and don't have a formal bug bounty program yet. However:

• We deeply appreciate security researchers
• We'll credit you in our security advisories
• For critical vulnerabilities, we'll send ChittyCan swag
• Once we have funding, we'll establish a proper bounty program

We'll recognize security researchers who responsibly disclose vulnerabilities:

No vulnerabilities reported yet

Questions? Email security@chitty.cc or join our Discord

Last Updated: 2025-01-04