We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability, please do not open a public issue. Instead, please report it privately:
- Email: [security@example.com] (replace with actual security contact)
- Subject: "Graphiti Security Vulnerability"
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and provide an update within 7 days.
When contributing to this project:
-
Never commit secrets:
- API keys
- Private keys
- Auth tokens
- Passwords
-
Validate all user input:
- Use the centralized validation utilities
- Sanitize user-provided content
- Check length limits
-
Handle errors securely:
- Don't expose sensitive information in error messages
- Use the centralized error handler
- Log errors without sensitive data
-
Follow secure coding practices:
- Use type guards instead of type assertions
- Check for null/undefined before operations
- Use HTTPS for all network requests
- Keep the extension updated
- Review permissions before installing
- Report suspicious behavior immediately
- Don't share your Pubky private keys
- QR-based authentication: Secure authentication via Pubky Ring mobile app
- No password storage: Passwords are never stored
- Encrypted tokens: Auth tokens encrypted with client secrets
- Session management: Secure session storage in Chrome storage
- Local-first storage: Data stored locally before sync
- URL hashing: Privacy-preserving URL tags using SHA-256
- No tracking: No analytics or tracking code
- User control: Users control what data is synced
- Centralized validation: All inputs validated through
validation.ts - XSS prevention: Content sanitized before display
- Length limits: Prevents DoS attacks via large inputs
- Type checking: TypeScript strict mode enabled
- HTTPS only: All network requests use HTTPS
- Rate limiting: Client-side rate limiting to prevent abuse
- Error handling: Secure error handling without information leakage
- Content Script Isolation: Content scripts run in page context but are isolated
- Service Worker: Background script runs in service worker context
- Storage Quota: Chrome storage has 5MB limit (shared with other extensions)
- Decentralized: No central authority controls data
- Public by default: Data synced to homeserver is public
- User responsibility: Users responsible for their private keys
Before each release:
- No secrets in code or configuration
- All user inputs validated
- Error messages don't expose sensitive data
- HTTPS used for all network requests
- Dependencies up to date
- Security audit completed
- Privacy policy updated (if needed)
We follow responsible disclosure:
- Report privately (see Reporting section)
- Acknowledge within 48 hours
- Investigate and develop fix
- Release fix in timely manner
- Credit reporter (if desired)
Security updates are released as:
- Patch versions (1.0.x) for critical vulnerabilities
- Minor versions (1.x.0) for important security improvements
- Major versions (x.0.0) for breaking security changes