The TORA team takes security seriously. We appreciate your efforts to responsibly disclose your findings.

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to:

• Email: security@toraai.app
• Subject: [SECURITY] Brief description of the issue

To help us triage and fix the issue quickly, please include:

1. Description: Clear description of the vulnerability
2. Impact: What an attacker could achieve
3. Steps to Reproduce: Detailed steps to reproduce the issue
4. Proof of Concept: If applicable, code or screenshots
5. Affected Versions: Which versions are affected
6. Suggested Fix: If you have ideas on how to fix it (optional)
7. Your Contact Info: How we can reach you for follow-up

• Acknowledgment: We'll acknowledge receipt within 48 hours
• Initial Response: We'll provide an initial assessment within 5 business days
• Status Updates: We'll keep you informed of our progress
• Resolution: We aim to resolve critical issues within 30 days
• Credit: We'll credit you in the release notes (unless you prefer to remain anonymous)

We currently support the following versions with security updates:

1. Keep TORA Updated: Always use the latest version
2. Download from Official Sources: Only download from GitHub Releases
3. Verify Signatures: Check file hashes before installing
4. Use Antivirus: Keep your antivirus software up to date
5. Report Suspicious Behavior: If TORA behaves unexpectedly, report it

1. Keep Dependencies Updated: Regularly update npm packages
2. Review Code Changes: Carefully review all code before committing
3. Don't Commit Secrets: Never commit API keys, tokens, or credentials
4. Use Environment Variables: Store sensitive data in .env files (gitignored)
5. Enable 2FA: Use two-factor authentication on GitHub
6. Follow Secure Coding: Follow OWASP guidelines

• TORA runs AI models locally on your machine
• Models downloaded from Ollama are verified
• No data is sent to external servers (except for optional features like web search)

• User credentials are managed by Firebase
• We follow Firebase security best practices
• Enable 2FA in your Firebase account for added security

• Context isolation is enabled
• Node integration in renderer is disabled
• Web security is enabled
• Remote content loading is restricted

• AI tools (Stable Diffusion, etc.) run in isolated processes
• Each tool runs on its own port
• Network access is controlled

Security updates are released as:

• Critical: Immediate patch release (1.6.x → 1.6.x+1)
• High: Next minor release or patch
• Medium: Next minor release
• Low: Next major release

Users are notified via:

• GitHub Security Advisories
• Release notes
• In-app notifications (for critical issues)

1. Private Disclosure: Report privately to security@toraai.app
2. Embargo Period: We request a 90-day embargo before public disclosure
3. Coordinated Disclosure: We'll coordinate with you on timing
4. CVE Assignment: We'll request CVEs for qualifying vulnerabilities
5. Public Disclosure: After fix is released and deployed

We recognize security researchers who help us keep TORA secure:

• Security Issues: security@toraai.app
• General Support: support@toraai.app
• GitHub Issues: github.com/Swordofyzc/tora/issues (non-security issues only)

• Electron Security Guidelines
• OWASP Top 10
• Firebase Security Rules
• Node.js Security Best Practices

Thank you for helping keep TORA and its users safe! 🙏