Security Policy

Security guidelines, vulnerability reporting, and best practices for AI Web Feeds

Supported Versions

We release patches for security vulnerabilities in the following versions:

Version	Supported
1.x.x	✅ Yes
< 1.0	❌ No

We recommend always using the latest stable version to ensure you have the most recent security updates.

Reporting a Vulnerability

We take the security of AI Web Feeds seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

How to Report

Use GitHub Security Advisories (Preferred)

Go to github.com/wyattowalsh/ai-web-feeds/security/advisories
Click "Report a vulnerability"
Fill out the form with detailed information

Or Send Secure Email

Send email to: wyattowalsh@gmail.com
Include "SECURITY" in the subject line
Provide detailed vulnerability information

What to Include

Please include the following information in your report:

Type of issue: buffer overflow, SQL injection, XSS, etc.
Affected files: Full paths of source files related to the issue
Source location: Tag/branch/commit or direct URL
Configuration: Any special configuration required to reproduce
Reproduction steps: Step-by-step instructions to reproduce the issue
Proof-of-concept: Exploit code or PoC (if possible)
Impact assessment: How an attacker might exploit the vulnerability

The more detail you provide, the faster we can validate and fix the issue.

Response Timeline

Initial Acknowledgment

We will acknowledge receipt of your vulnerability report within 48 hours.

Detailed Response

We will send a detailed response within 7 days indicating next steps and requesting any additional information needed.

Progress Updates

We will keep you informed of progress towards a fix and full announcement.

Coordinated Disclosure

We will coordinate with you on the timing of public disclosure.

Disclosure Policy

We prefer to fully remediate vulnerabilities before public disclosure
We will coordinate disclosure timing with you
We will credit you in the security advisory (unless you prefer anonymity)
We ask that you avoid public disclosure until we've had time to address the issue

Safe Harbor

We support safe harbor for security researchers who:

Act in Good Faith

Avoid privacy violations, data destruction, or service interruption
Only interact with accounts you own or have explicit permission to test

Report Responsibly

Do not exploit security issues you discover for any reason
Report vulnerabilities as soon as you discover them

Follow Guidelines

Respect our disclosure policy
Provide reasonable time for remediation before any public disclosure

Researchers acting in good faith under these guidelines will not face legal action for security testing.

Scope

In Scope ✅

The following components are in scope for security reports:

AI Web Feeds CLI tool
AI Web Feeds web application
Feed processing and validation logic
Data schema and validation
CI/CD workflows that could impact security
API endpoints and data handling
Authentication and authorization mechanisms

Out of Scope ❌

The following are out of scope:

Social engineering attacks
Physical attacks against infrastructure
Attacks requiring physical access to user devices
Denial of service attacks
Issues in third-party services or libraries (report to respective projects)
Publicly disclosed vulnerabilities (already known)

Security Best Practices for Contributors

When contributing to AI Web Feeds, follow these security best practices:

Input Validation

Always validate and sanitize user input
Use schema validation for all external data
Implement proper type checking
Escape output for different contexts (HTML, SQL, shell, etc.)

from pydantic import BaseModel, HttpUrl, validator

class FeedInput(BaseModel):
    url: HttpUrl
    name: str

    @validator('name')
    def validate_name(cls, v):
        if len(v) > 200:
            raise ValueError('Name too long')
        return v.strip()

Dependencies

Keep all dependencies up to date
Review security advisories for dependencies
Use pip-audit or similar tools to scan for vulnerabilities
Pin dependency versions in production

# Check for vulnerabilities
pip-audit

# Update dependencies safely
pip install --upgrade package-name

Secrets Management

Never commit API keys, passwords, or secrets to version control
Use environment variables for sensitive configuration
Use .env files (add to .gitignore)
Rotate secrets regularly

import os
from dotenv import load_dotenv

load_dotenv()
api_key = os.getenv('API_KEY')  # Never hardcode!

Code Review

All code changes require review before merging
Include security considerations in review checklist
Test for common vulnerabilities (OWASP Top 10)
Document security implications of changes

Review Checklist:

✅ Input validation implemented
✅ No hardcoded secrets
✅ Dependencies are up to date
✅ Tests include security scenarios
✅ Documentation updated

Automated Security

We use several automated tools to maintain security:

Dependency Scanning

Dependabot: Automatically checks for vulnerable dependencies
pip-audit: Scans Python packages for known vulnerabilities
npm audit: Scans Node.js packages for security issues

Code Analysis

CodeQL: Automated security scanning of code
Ruff: Python linter with security rules
ESLint: JavaScript/TypeScript security linting

CI/CD Security

Dependency Review: Reviews dependency changes in PRs
Secret Scanning: Prevents accidental secret commits
Security Policy Enforcement: Automated checks for security requirements

All pull requests are automatically scanned for security issues before merging.

Security Updates

Security updates are released according to severity:

Severity	Response Time	Release Type
Critical	Immediate	Patch version (within 24h)
High	Within 7 days	Patch version
Medium	Within 30 days	Minor version
Low	Next planned release	Minor/Patch version

Security Advisories

Security advisories are published at: github.com/wyattowalsh/ai-web-feeds/security/advisories

Subscribe to receive notifications:

Watch the repository
Enable security alerts in your GitHub settings
Subscribe to release notifications

Common Security Scenarios

Feed URL Validation

from ai_web_feeds.models import FeedSource
from pydantic import HttpUrl

# Always validate URLs
def add_feed(url: str) -> FeedSource:
    # Pydantic validates URL format
    validated_url = HttpUrl(url)

    # Additional checks
    if validated_url.scheme not in ['http', 'https']:
        raise ValueError("Invalid URL scheme")

    return FeedSource(url=str(validated_url))

SQL Injection Prevention

from sqlmodel import select, Session

# ✅ Good: Using parameterized queries
def get_feed_by_name(session: Session, name: str):
    statement = select(FeedSource).where(FeedSource.name == name)
    return session.exec(statement).first()

# ❌ Bad: String interpolation (vulnerable to SQL injection)
# def get_feed_by_name(session: Session, name: str):
#     query = f"SELECT * FROM feedsource WHERE name = '{name}'"
#     return session.exec(query)

XSS Prevention in Web UI

// ✅ Good: React automatically escapes content
function FeedTitle({ title }: { title: string }) {
  return <h1>{title}</h1>; // Escaped by default
}

// ❌ Bad: dangerouslySetInnerHTML without sanitization
// function FeedContent({ html }: { html: string }) {
//   return <div dangerouslySetInnerHTML={{ __html: html }} />;
// }

Recognition

We appreciate the security research community's efforts to responsibly disclose vulnerabilities.

Contributors who report valid security issues will be:

✅ Credited in the security advisory (if desired)
✅ Listed in our security acknowledgments
✅ Recognized in our Hall of Fame
✅ Eligible for potential rewards (to be determined)

Thank you for helping keep AI Web Feeds and our users safe!

Additional Resources

Contact

For general security questions (not vulnerability reports):

Open a GitHub Discussion
Email: wyattowalsh@gmail.com

Security Policy

On this page