AI Web FeedsAI Web FeedsOpen web AI reader
    • Documentation

    Security Policy

    Security guidelines, vulnerability reporting, and best practices for AI Web Feeds

    Source: apps/web/content/docs/security.mdx

    Supported Versions

    We release patches for security vulnerabilities in the following versions:

    VersionSupported
    1.x.x✅ Yes
    < 1.0❌ No
    We recommend always using the latest stable version to ensure you have the most recent security updates.

    Reporting a Vulnerability

    We take the security of AI Web Feeds seriously. If you believe you have found a security vulnerability, please report it to us as described below.

    Please do not report security vulnerabilities through public GitHub issues.

    How to Report

    Use GitHub Security Advisories (Preferred)

    1. Go to github.com/wyattowalsh/ai-web-feeds/security/advisories
    2. Click "Report a vulnerability"
    3. Fill out the form with detailed information

    Or Send Secure Email

    • Send email to: wyattowalsh@gmail.com
    • Include "SECURITY" in the subject line
    • Provide detailed vulnerability information

    What to Include

    Please include the following information in your report:

    • Type of issue: buffer overflow, SQL injection, XSS, etc.
    • Affected files: Full paths of source files related to the issue
    • Source location: Tag/branch/commit or direct URL
    • Configuration: Any special configuration required to reproduce
    • Reproduction steps: Step-by-step instructions to reproduce the issue
    • Proof-of-concept: Exploit code or PoC (if possible)
    • Impact assessment: How an attacker might exploit the vulnerability
    The more detail you provide, the faster we can validate and fix the issue.

    Response Timeline

    Initial Acknowledgment

    We will acknowledge receipt of your vulnerability report within 48 hours.

    Detailed Response

    We will send a detailed response within 7 days indicating next steps and requesting any additional information needed.

    Progress Updates

    We will keep you informed of progress towards a fix and full announcement.

    Coordinated Disclosure

    We will coordinate with you on the timing of public disclosure.

    Disclosure Policy

    • We prefer to fully remediate vulnerabilities before public disclosure
    • We will coordinate disclosure timing with you
    • We will credit you in the security advisory (unless you prefer anonymity)
    • We ask that you avoid public disclosure until we've had time to address the issue

    Safe Harbor

    We support safe harbor for security researchers who:

    Act in Good Faith

    • Avoid privacy violations, data destruction, or service interruption
    • Only interact with accounts you own or have explicit permission to test

    Report Responsibly

    • Do not exploit security issues you discover for any reason
    • Report vulnerabilities as soon as you discover them

    Follow Guidelines

    • Respect our disclosure policy
    • Provide reasonable time for remediation before any public disclosure
    Researchers acting in good faith under these guidelines will not face legal action for security testing.

    Scope

    In Scope ✅

    The following components are in scope for security reports:

    • AI Web Feeds CLI tool
    • AI Web Feeds web application
    • Feed processing and validation logic
    • Data schema and validation
    • CI/CD workflows that could impact security
    • API endpoints and data handling
    • Authentication and authorization mechanisms

    Out of Scope ❌

    The following are out of scope:

    • Social engineering attacks
    • Physical attacks against infrastructure
    • Attacks requiring physical access to user devices
    • Denial of service attacks
    • Issues in third-party services or libraries (report to respective projects)
    • Publicly disclosed vulnerabilities (already known)

    Security Best Practices for Contributors

    When contributing to AI Web Feeds, follow these security best practices:

    Input Validation

    • Always validate and sanitize user input
    • Use schema validation for all external data
    • Implement proper type checking
    • Escape output for different contexts (HTML, SQL, shell, etc.)
    from pydantic import BaseModel, HttpUrl, validator

class FeedInput(BaseModel):
    url: HttpUrl
    name: str

    @validator('name')
    def validate_name(cls, v):
        if len(v) > 200:
            raise ValueError('Name too long')
        return v.strip()

    Dependencies

    • Keep all dependencies up to date
    • Review security advisories for dependencies
    • Use pip-audit or similar tools to scan for vulnerabilities
    • Pin dependency versions in production
    # Check for vulnerabilities
uv run --with pip-audit pip-audit

# Update dependencies safely
uv lock --upgrade-package package-name
uv sync

    Secrets Management

    • Never commit API keys, passwords, or secrets to version control
    • Use environment variables for sensitive configuration
    • Use .env files (add to .gitignore)
    • Rotate secrets regularly
    import os
from dotenv import load_dotenv

load_dotenv()
api_key = os.getenv('API_KEY')  # Never hardcode!

    Code Review

    • All code changes require review before merging
    • Include security considerations in review checklist
    • Test for common vulnerabilities (OWASP Top 10)
    • Document security implications of changes

    Review Checklist:

    • ✅ Input validation implemented
    • ✅ No hardcoded secrets
    • ✅ Dependencies are up to date
    • ✅ Tests include security scenarios
    • ✅ Documentation updated

    Automated Security

    We use several automated tools to maintain security:

    Dependency Scanning

    • Dependabot: Automatically checks for vulnerable dependencies
    • pip-audit: Scans Python packages for known vulnerabilities
    • npm audit: Scans Node.js packages for security issues

    Code Analysis

    • CodeQL: Automated security scanning of code
    • Ruff: Python linter with security rules
    • ESLint: JavaScript/TypeScript security linting

    CI/CD Security

    • Dependency Review: Reviews dependency changes in PRs
    • Secret Scanning: Prevents accidental secret commits
    • Security Policy Enforcement: Automated checks for security requirements
    All pull requests are automatically scanned for security issues before merging.

    Security Updates

    Security updates are released according to severity:

    SeverityResponse TimeRelease Type
    CriticalImmediatePatch version (within 24h)
    HighWithin 7 daysPatch version
    MediumWithin 30 daysMinor version
    LowNext planned releaseMinor/Patch version

    Security Advisories

    Security advisories are published at: github.com/wyattowalsh/ai-web-feeds/security/advisories

    Subscribe to receive notifications:

    • Watch the repository
    • Enable security alerts in your GitHub settings
    • Subscribe to release notifications

    Common Security Scenarios

    Feed URL Validation

    from ai_web_feeds.models import FeedSource
from pydantic import HttpUrl

# Always validate URLs
def add_feed(url: str) -> FeedSource:
    # Pydantic validates URL format
    validated_url = HttpUrl(url)

    # Additional checks
    if validated_url.scheme not in ['http', 'https']:
        raise ValueError("Invalid URL scheme")

    return FeedSource(url=str(validated_url))

    SQL Injection Prevention

    from sqlmodel import select, Session

# ✅ Good: Using parameterized queries
def get_feed_by_name(session: Session, name: str):
    statement = select(FeedSource).where(FeedSource.name == name)
    return session.exec(statement).first()

# ❌ Bad: String interpolation (vulnerable to SQL injection)
# def get_feed_by_name(session: Session, name: str):
#     query = f"SELECT * FROM feedsource WHERE name = '{name}'"
#     return session.exec(query)

    XSS Prevention in Web UI

    // ✅ Good: React automatically escapes content
function FeedTitle({ title }: { title: string }) {
  return <h1>{title}</h1>; // Escaped by default
}

// ❌ Bad: dangerouslySetInnerHTML without sanitization
// function FeedContent({ html }: { html: string }) {
//   return <div dangerouslySetInnerHTML={{ __html: html }} />;
// }

    Recognition

    We appreciate the security research community's efforts to responsibly disclose vulnerabilities.

    Contributors who report valid security issues will be:

    • Credited in the security advisory (if desired)
    • Listed in our security acknowledgments
    • Recognized in our Hall of Fame
    • Eligible for potential rewards (to be determined)
    Thank you for helping keep AI Web Feeds and our users safe!

    Additional Resources

    Contact

    For general security questions (not vulnerability reports):

    Documentation

    Use AI Web Feeds as a reader first, refine sources when needed, and treat docs as reference for the rest.

    Tags Taxonomy Visualization

    Visualize the hierarchical tags ontology and taxonomy graph

    On this page

    Supported VersionsReporting a VulnerabilityHow to ReportUse GitHub Security Advisories (Preferred)Or Send Secure EmailWhat to IncludeResponse TimelineInitial AcknowledgmentDetailed ResponseProgress UpdatesCoordinated DisclosureDisclosure PolicySafe HarborAct in Good FaithReport ResponsiblyFollow GuidelinesScopeIn Scope ✅Out of Scope ❌Security Best Practices for ContributorsInput ValidationDependenciesSecrets ManagementCode ReviewAutomated SecurityDependency ScanningCode AnalysisCI/CD SecuritySecurity UpdatesSecurity AdvisoriesCommon Security ScenariosFeed URL ValidationSQL Injection PreventionXSS Prevention in Web UIRecognitionAdditional ResourcesContact
    Security Policy | AI Web Feeds