Security is our top priority. We take all security vulnerabilities seriously.

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to:

Please use GitHub Security Advisories to report vulnerabilities:

https://github.com/agentguard-ai/tealtiger/security/advisories/new

Note: If you get a 404 error, Security Advisories may not be enabled yet. In that case, please:

1. Open a GitHub issue with the title prefix [SECURITY] (do NOT include sensitive details)
2. We will contact you privately to discuss the vulnerability details

Please include as much of the following information as possible:

• Type of vulnerability (e.g., authentication bypass, injection, etc.)
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the vulnerability and how an attacker might exploit it
• Any potential mitigations you've identified

• Initial Response: Within 24 hours
• Status Update: Within 72 hours
• Fix Timeline: Depends on severity
  • Critical: 1-7 days
  • High: 7-14 days
  • Medium: 14-30 days
  • Low: 30-90 days

1. Acknowledgment - We'll confirm receipt of your report
2. Investigation - We'll investigate and validate the vulnerability
3. Fix Development - We'll develop and test a fix
4. Disclosure - We'll coordinate disclosure with you
5. Credit - We'll credit you in our security advisories (if desired)

• API Key Authentication - Secure authentication for all API calls
• HTTPS Only - All communications encrypted in transit
• Input Validation - Comprehensive validation of all inputs
• Rate Limiting - Protection against abuse
• Audit Logging - Complete audit trail of all actions
• Dependency Scanning - Regular security audits of dependencies

• Code Review - All code changes reviewed before merge
• Automated Testing - Comprehensive test suite including security tests
• Dependency Updates - Regular updates to address known vulnerabilities
• Static Analysis - Automated security scanning in CI/CD
• Least Privilege - Minimal permissions by default

We provide security updates for the following versions:

Risk: Exposed API keys can lead to unauthorized access

Mitigation:

• Never commit API keys to version control
• Use environment variables for API keys
• Rotate API keys regularly
• Use different keys for different environments

// ✅ Good - Use environment variables
const client = new TealOpenAI({
  apiKey: process.env.OPENAI_API_KEY
});

// ❌ Bad - Hardcoded API key
const client = new TealOpenAI({
  apiKey: 'sk-1234567890abcdef'
});

Risk: Man-in-the-middle attacks on unencrypted connections

Mitigation:

• Always use HTTPS for SSA connections
• Validate SSL certificates
• Use certificate pinning for high-security environments

// ✅ Good - HTTPS URL
const client = new TealOpenAI({
  apiKey: process.env.OPENAI_API_KEY
});

// Note: TealTiger uses OpenAI/Anthropic APIs directly
// No separate SSA URL needed for v1.0.0

Risk: Injection attacks through unvalidated inputs

Mitigation:

• SDK validates all inputs before sending to SSA
• Use TypeScript types for compile-time validation
• Sanitize user inputs before passing to tools

// ✅ Good - Validated input
const result = await client.chat.completions.create({
  model: 'gpt-4',
  messages: [{ 
    role: 'user', 
    content: sanitizeInput(userInput) 
  }],
  max_tokens: Math.min(userMaxTokens, 4000)
});

Risk: Vulnerabilities in third-party dependencies

Mitigation:

• Regular dependency audits (npm audit)
• Automated dependency updates (Dependabot)
• Minimal dependency footprint
• Pinned dependency versions

• Code Review: Every pull request
• Dependency Scan: Weekly
• Static Analysis: On every commit
• Penetration Testing: Quarterly

We welcome security researchers to audit our code:

• Bug Bounty: Coming soon
• Responsible Disclosure: Always welcome
• Public Audits: Planned for v1.0.0

• Store API keys in environment variables
• Use HTTPS for all SSA connections
• Validate and sanitize all user inputs
• Keep SDK updated to latest version
• Review security advisories regularly
• Enable audit logging
• Implement rate limiting
• Use least-privilege policies

• Rotate API keys regularly
• Monitor for suspicious activity
• Set up security alerts
• Implement backup and recovery
• Use separate keys per environment
• Enable all security features
• Regular security audits
• Incident response plan

• v0.2.0

  • Built-in guardrails for common threats
  • PII detection and redaction
  • Content moderation
  • Prompt injection detection

• v0.3.0

  • Advanced threat detection
  • Behavioral analysis
  • Anomaly detection
  • Threat intelligence integration

• v1.0.0

  • Security certification (SOC 2)
  • Compliance frameworks (HIPAA, GDPR)
  • Advanced encryption
  • Zero-trust architecture

• Security Best Practices
• API Security Guide
• Threat Model

• Security Examples

We recognize security researchers who help us improve:

No vulnerabilities reported yet - be the first!

• Security Issues: Use GitHub Security Advisories
• GitHub: agentguard-ai/tealtiger

We follow coordinated disclosure:

1. Report - Researcher reports vulnerability privately
2. Acknowledge - We acknowledge within 24 hours
3. Fix - We develop and test a fix
4. Release - We release the fix
5. Disclose - We publicly disclose (coordinated with researcher)

• Critical: 7 days after fix release
• High: 14 days after fix release
• Medium: 30 days after fix release
• Low: 90 days after fix release

We credit security researchers in:

• Security advisories
• Release notes
• Security Hall of Fame
• Social media (with permission)

Thank you for helping keep TealTiger secure! 🔒