Pip handles sensitive financial context. Please report suspected vulnerabilities privately so they can be investigated before details are public.
Email: tyler@animasai.co
Do not open public issues or pull requests for:
- Credentials, secrets, provider tokens, webhook secrets, or service-role keys.
- Authentication bypasses or session handling flaws.
- Billing entitlement or Stripe webhook bugs.
- Plaid, Teller, or other provider-token handling bugs.
- Supabase RLS, database access, account deletion, data export, or data-retention flaws.
- Private user data, personal financial data, or screenshots containing real financial information.
- AI or prompt behavior that could leak sensitive user context.
Please include:
- A short description of the issue.
- Steps to reproduce with fake data or test accounts when possible.
- Affected routes, files, APIs, or provider flows.
- Any logs or screenshots with secrets and personal data removed.
In scope:
- Next.js app routes and API routes.
- Supabase Auth, RLS assumptions, service-role usage, and database access patterns.
- Financial provider token storage, refresh, repair, and webhook handling.
- Stripe checkout, webhook processing, and app-access entitlement logic.
- AI answer composition, tool gating, prompt-chip behavior, and data minimization.
- Spendable Cash Today calculations, account-sync state, savings-goal state, account deletion, and data export/delete flows.
Out of scope:
- Marketing copy issues without security impact.
- Social engineering against maintainers or users.
- Denial-of-service reports without data access, privilege, billing, or availability impact.
- Vulnerabilities in third-party services that are not caused by Pip's integration.
- Production deployment details that are intentionally not part of this public source release.
This repository is a public source release for reusable Pip product logic. It does not include production secrets, customer data, production provider accounts, or hosted deployment wiring.
Local fake-data mode is the safest default:
PIP_SUPABASE_MODE=off PIP_LOCAL_FAKE_APP_MODE=1 PIP_RATE_LIMIT_SALT=local-only npm run devIf you configure your own providers, use sandbox/test accounts and keep credentials in .env.local.
Pip's core security design goals are:
- Read-only financial data access.
- No money movement.
- Deterministic financial calculations outside the AI layer.
- Server-side provider credentials and service-role keys.
- Explicit consent before connecting financial data.
- Local fake-data mode for review and contribution.
No public source release should be treated as a substitute for your own deployment review. Run tests, audit dependencies, review provider settings, and verify database policies before connecting real accounts.
Maintainers will acknowledge serious reports as soon as practical, investigate impact, prepare a fix, and publish a disclosure when appropriate. Timing depends on severity, exploitability, and whether third-party providers are involved.