This project is currently in active development. Security updates will be applied to the latest version on the main branch.

If you discover a security vulnerability in this project, please report it responsibly:

Please DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please:

1. Email: Create a private security advisory on GitHub

   • Go to the Security tab
   • Click "Report a vulnerability"
   • Provide detailed information about the vulnerability

2. What to include:

   • Type of vulnerability (e.g., SQL injection, XSS, insecure storage)
   • Location of the vulnerable code (file path and line number)
   • Step-by-step instructions to reproduce
   • Potential impact of the vulnerability
   • Suggested fix (if you have one)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity (critical issues within 7 days)

Never commit sensitive data to git:

• ✅ Store OpenAI API key in AWS Parameter Store (encrypted)
• ✅ Use .env files for local development (ignored by git)
• ✅ Use AWS IAM roles for Lambda function permissions
• ❌ Never hardcode API keys in source code
• ❌ Never commit .env or samconfig.toml to git

Verify your configuration:

# Check that sensitive files are ignored
git status --ignored

# These should appear in ignored files:
# - .env
# - samconfig.toml
# - node_modules/

IAM Permissions:

• Use least-privilege IAM policies
• Lambda functions only have access to required services (S3, Parameter Store)
• API Gateway endpoints are public by default (consider adding authentication)

S3 Bucket Security:

• Buckets are private by default
• Enable versioning for data recovery
• Consider enabling server-side encryption
• Review bucket policies regularly

API Gateway:

• CORS is enabled for frontend access
• Consider adding API keys or AWS WAF for production
• Monitor API usage with CloudWatch

Transcript Data:

• All transcripts are stored in your AWS S3 bucket
• Data is not shared with third parties (except OpenAI for analysis)
• You own all data and can delete it at any time

OpenAI API:

• Transcripts are sent to OpenAI API for analysis
• Review OpenAI's data usage policy
• Consider using zero data retention for API calls
• For sensitive data, consider self-hosted AI models

Checklist for secure production deployment:

• Enable AWS CloudTrail for audit logging
• Set up AWS Config for compliance monitoring
• Enable S3 bucket versioning and lifecycle policies
• Configure CloudWatch Alarms for suspicious activity
• Use AWS Secrets Manager or Parameter Store for all secrets
• Implement API authentication (AWS Cognito, API keys, or custom auth)
• Enable AWS WAF to protect against common web exploits
• Review and minimize IAM permissions
• Enable MFA on AWS root account
• Use separate AWS accounts for dev/staging/production
• Implement rate limiting on API Gateway
• Regular security audits and dependency updates

1. API Gateway is Public: The API endpoints are publicly accessible. For production:

   • Add authentication (AWS Cognito, API keys, or custom)
   • Implement rate limiting
   • Use AWS WAF

2. OpenAI API Calls: Transcripts are sent to OpenAI:

   • Data is processed by OpenAI's models
   • Review OpenAI's privacy policy
   • Consider API zero data retention settings
   • For highly sensitive data, use self-hosted models

3. No User Authentication: Current version has no auth:

   • Anyone with the frontend URL can upload/view calls
   • Recommended: Add AWS Cognito or similar for multi-user deployments

4. CORS Configuration: Frontend domain is allowed via CORS:

   • Update CORS settings in backend/template.yaml for production
   • Restrict to specific domains, not *

This project uses GitHub Dependabot to:

• Monitor dependencies for known vulnerabilities
• Automatically create PRs for security updates

Run regular security audits:

# Frontend dependencies
cd frontend
npm audit
npm audit fix

# Backend Lambda dependencies
cd backend/lambda/processCall
npm audit
npm audit fix

1. Never commit secrets: Always use environment variables or AWS Parameter Store
2. Keep dependencies updated: Regularly run npm audit and update packages
3. Review third-party code: Understand what dependencies do before adding them
4. Use parameterized queries: Prevent injection attacks (if adding database)
5. Validate input: Always validate and sanitize user input
6. Handle errors safely: Don't expose sensitive information in error messages

Before merging PRs, verify:

• No hardcoded credentials or API keys
• Environment variables used for configuration
• Input validation on all user-provided data
• Error messages don't leak sensitive information
• Dependencies are up-to-date and audited
• CORS policies are restrictive
• Logging doesn't include sensitive data

In the event of a security incident:

1. Immediately rotate compromised credentials:

   aws ssm put-parameter \
     --name /call-analysis/prod/openai-api-key \
     --value "new-key-here" \
     --type SecureString \
     --overwrite

2. Review CloudWatch Logs for suspicious activity

3. Check S3 bucket access logs for unauthorized access

4. Notify affected users if data was compromised

5. Document the incident and implement preventive measures

• AWS Security Best Practices
• OWASP Top 10
• AWS Well-Architected Framework - Security Pillar
• OpenAI API Data Privacy

For security-related questions (not vulnerabilities), open a GitHub issue with the security label.

Thank you for helping keep this project secure!