We actively provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
AgentCHAT implements several security measures to protect user data:
- Encrypted Storage: API keys are encrypted using
electron-storewith per-installation encryption keys - Context Isolation: Renderer process runs in isolated context, cannot access Node.js APIs
- Sandboxed Content: Web content runs in sandboxed environment with strict security boundaries
- Secure IPC: All main/renderer communication goes through secure preload script bridge
- API keys are never stored in plain text
- Keys are encrypted at rest with per-installation encryption
- No API keys are logged or transmitted except to their respective AI providers
- Users maintain full control over their API key storage and management
- HTTPS-only communication with AI providers
- No telemetry or analytics data collection
- All network requests are user-initiated through secure API clients
We take security seriously. If you discover a security vulnerability, please follow these steps:
- Do NOT create a public GitHub issue for security vulnerabilities
- Use GitHub Security Advisories to report privately
- Include detailed information about the vulnerability
- Provide steps to reproduce if possible
- Include your contact information for follow-up
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if you have one)
- Your contact information
- Acknowledgment: Within 24 hours of report
- Initial Assessment: Within 72 hours
- Status Updates: Weekly until resolution
- Resolution: Target 7-14 days for critical issues
- Keep AgentCHAT updated to the latest version
- Use strong, unique API keys from official AI provider dashboards
- Store API keys securely and don't share them
- Be cautious when sharing conversation data
- Report suspicious behavior immediately
- Follow secure coding practices
- Never commit secrets or API keys to the repository
- Use dependency scanning tools
- Implement proper input validation
- Follow the principle of least privilege
Once a vulnerability is fixed:
- We will publish a security advisory
- Credit will be given to the reporter (unless they prefer to remain anonymous)
- Details will be shared after users have had time to update
For security-related questions or concerns:
- Security Advisories: GitHub Security Advisories
- PGP Key: Available upon request
Note: This security policy applies to AgentCHAT desktop application. For questions about third-party AI provider security, please contact the respective providers directly.