Security Policy

Last Updated: February 5, 2026

Reporting Security Vulnerabilities

The security of CyberAi is a top priority. We appreciate the security research community's efforts to responsibly disclose vulnerabilities.

How to Report

If you discover a security vulnerability, please report it through GitHub's Security Advisory feature:

  1. Go to the Security Advisories page
  2. Click "Report a vulnerability"
  3. Provide detailed information about the vulnerability

Please do not report security vulnerabilities through public GitHub issues.

What to Include

When reporting a vulnerability, please include:

  • Type of vulnerability
  • Affected components or versions
  • Step-by-step reproduction instructions
  • Potential impact assessment
  • Suggested fix (if available)

Response Timeline

  • Initial Response: Within 48 hours
  • Status Update: Within 7 days
  • Fix Timeline: Based on severity
    • Critical: 1-3 days
    • High: 7-14 days
    • Medium: 30 days
    • Low: 90 days

Security Measures

Code Security

  • Automated security scanning with CodeQL
  • Dependency vulnerability monitoring
  • Code review requirements for all changes
  • Branch protection rules

CI/CD Security

  • Minimal GitHub Actions permissions
  • Secret scanning enabled
  • Signed commits encouraged
  • Automated security updates via Dependabot

Smart Contract Security

  • Comprehensive audit capabilities
  • Static and dynamic analysis
  • Gas optimization checks
  • Common vulnerability detection

Supported Versions

Security updates are provided for:

  • Current major version (v1.x.x)
  • Previous major version for critical issues

Security Best Practices

For Users

  • Keep CyberAi updated to the latest version
  • Use strong authentication for GitHub
  • Enable 2FA on all accounts
  • Review permissions before granting access
  • Regularly audit workflow configurations

For Contributors

  • Never commit secrets or credentials
  • Use environment variables for sensitive data
  • Follow secure coding guidelines
  • Test security implications of changes
  • Keep dependencies updated

Security Audit Tools

CyberAi provides built-in security tools:

  • Contract Auditor: Scan smart contracts for vulnerabilities
  • CodeQL Integration: Automated code analysis
  • Dependency Scanner: Check for vulnerable dependencies
  • Secret Detector: Identify exposed credentials

Learn more in our Security Audit documentation.

Vulnerability Disclosure

When a vulnerability is fixed:

  • Security advisory published on GitHub
  • CVE assigned for significant issues
  • Credit given to reporter (if desired)
  • Detailed fix information provided

Security Hall of Fame

We acknowledge security researchers who responsibly disclose vulnerabilities. Contributors will be credited in our security advisories and release notes.

Contact

For security-related questions:

Resources