If you discover a security issue or vulnerability in this project, please:
- Do NOT open a public GitHub issue with sensitive details.
- Email the maintainers with a detailed report:
rdwarkesh1300@gmail.com - Include:
- Description of the issue
- Steps to reproduce
- Expected vs actual behavior
- Screenshots / logs if available
- Affected versions
We will respond within 5 business days.
| Version | Status |
|---|---|
| 1.0.0 | Supported |
| <1.0.0 | Security fixes only |
Only officially released versions are supported for security updates.
- Never commit API keys (e.g.,
GEMINI_API_KEY) into the repository. - Use environment variables (
.env) or secret management tools. - Add all secrets to
.gitignore.
- Regularly update dependencies to mitigate known vulnerabilities (use tools like
dependabot). - Before merging external changes, ensure:
- Python dependencies (
requirements.txt) - JavaScript libraries (via
package.json) are up to date.
- Python dependencies (
- All user inputs (especially any form data, file uploads, or API parameters) must be validated and sanitized.
- Protect against injection attacks (SQL, command-line, prompt injection).
- Validate video transcript data and repository metadata before processing.
- If you add user accounts or protected APIs, ensure proper auth checks.
- Avoid exposing admin endpoints without strong safeguards.
- Since the app interacts with LLMs (Google Gemini 2.5 Flash), guard against prompt injection attacks by:
- Filtering or limiting user-controlled text injected into prompts.
- Applying sanity checks and strict token limits before sending content to LLM APIs. :contentReference[oaicite:1]{index=1}
- Do not log sensitive user data (API keys, personal info).
- If storing or processing demo transcripts, inform users and follow data minimization.
- Use secure HTTP headers (CSP, X-Frame-Options).
- Escape rendered UI content from untrusted sources.
- Avoid exposing secrets in the client bundle.
- Do not leak stack traces or environment info to clients.
- Log errors securely server-side without sensitive payloads.
- Set up automated scans using tools like:
- SAST / dependency scanners (e.g., Bandit for Python, ESLint with security plugins).
- SBOM generation for dependencies. :contentReference[oaicite:2]{index=2}
- Ensure builds fail if critical vulnerabilities are introduced.
Before every major release:
- Conduct static analysis
- Perform dependency vulnerability scans
- Run integration tests covering AI integration components
This project uses external services (e.g., Google Gemini 2.5 Flash API):
- Only send necessary data β never send sensitive credentials.
- Review Terms & Privacy of each external API.
This Security Policy is a living document and will be updated as the project evolves or as new security threats emerge.
Last updated: π December 2025