| Version | Supported |
|---|---|
| 0.1.x | ✅ |
If you discover a security vulnerability in CAAL, please report it responsibly.
Do NOT open a public issue for security vulnerabilities.
Email: cmac@coreworxlab.com
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Resolution timeline: Depends on severity, typically 30-90 days
This policy applies to:
- Python voice agent (
voice_agent.py,src/caal/) - Next.js frontend (
frontend/) - Flutter mobile app (
mobile/) - Docker configurations
- n8n workflow examples
- Third-party dependencies (report to respective projects)
- Self-hosted infrastructure misconfigurations
- Social engineering attacks
When deploying CAAL:
- Generate unique LiveKit keys for production
- Use HTTPS for any non-localhost deployment
- Secure your n8n instance with authentication
- Keep Ollama on a trusted network
- Review n8n workflows before enabling MCP access
Thank you for helping keep CAAL secure.