If you discover a security vulnerability in BrainHub Obsidian Plugin, please report it responsibly.

Do NOT open a public issue.

Instead, send an email to: security@brainhub.website

Include the following information:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if known)

1. Acknowledgment: We will acknowledge receipt within 48 hours
2. Assessment: We will assess the severity and create a fix
3. Timeline: We will provide an estimated timeline for the fix
4. Disclosure: We will coordinate disclosure with you
5. Credit: We will credit you in the security advisory (if desired)

• Critical: Fix within 48 hours, disclosure within 7 days
• High: Fix within 7 days, disclosure within 14 days
• Medium: Fix within 14 days, disclosure within 30 days
• Low: Fix within 30 days, disclosure within 60 days

1. Keep Updated: Always use the latest version
2. Secure API Keys: Never share your API keys
3. Use HTTPS: Always use HTTPS URLs in production
4. Review Permissions: Check plugin permissions
5. Monitor Usage: Check for unusual activity

1. Input Validation: Validate all user inputs
2. Sanitize Data: Sanitize data before processing
3. Use HTTPS: Always use HTTPS for API calls
4. Error Handling: Don't expose sensitive information in errors
5. Dependencies: Keep dependencies updated

• API keys are stored in Obsidian settings (encrypted)
• Keys are never logged or exposed
• Keys have expiration dates
• Keys can be revoked at any time

• All API calls use HTTPS/TLS
• API keys are sent via headers (not query params)
• Sensitive data is never cached

We regularly audit and update dependencies:

• @xenova/transformers - Local embeddings
• obsidian - Obsidian API
• esbuild - Build tool

• Embeddings are computed locally using ONNX
• No data is sent to external services for embeddings
• Models are downloaded from trusted sources

• API key authentication
• JWT token support (for web dashboard)
• Token expiration and refresh
• Rate limiting per API key

• Scoped API keys (read, write, chat)
• User data isolation
• Subscription tier enforcement

• User data isolation in database
• Multi-tenant architecture
• Encrypted API keys
• Secure credential storage

We use Dependabot to automatically monitor and update dependencies:

• Security alerts are sent immediately
• Automated PRs for dependency updates
• Manual review before merging

• GitHub Dependabot scans for vulnerabilities
• CodeQL analysis on every PR
• Manual security reviews for critical changes

• 2025-12-01: Initial security review
• 2026-01-01: Dependency audit

We plan to conduct annual security audits:

• Third-party security firm
• Penetration testing
• Code review

We will publish security advisories for:

• Critical vulnerabilities
• High-severity bugs
• Security best practices

Subscribe to releases to stay informed: https://github.com/ciroautuori/brainhub-obsidian-plugin/releases

For security-related questions:

• Email: security@brainhub.website
• PGP Key: Available on request

This security policy is part of the BrainHub Obsidian Plugin project and is licensed under the MIT License.

Thank you for helping keep BrainHub secure! 🔒