diff --git a/README.md b/README.md index 5f39588..fcf66dc 100644 --- a/README.md +++ b/README.md @@ -240,6 +240,10 @@ npm run build See [CHANGELOG.md](CHANGELOG.md) for a detailed history of changes. +## 🔒 Security + +See [SECURITY.md](SECURITY.md) for the security policy and how to report vulnerabilities. + ## 🤝 Contributing Contributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. diff --git a/SECURITY.md b/SECURITY.md index 9f5edc5..aebae33 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,24 +4,43 @@ | Version | Supported | |---------|-----------| -| Latest | ✅ | +| Latest release | ✅ | +| Older releases | ❌ | -## Architecture +We recommend always running the latest version of PinchChat. -PinchChat is a **static frontend** — it runs entirely in the browser. There is no server-side component. +## Security Model -- Gateway credentials are entered at runtime and stored in `localStorage` -- No secrets are baked into the build -- All communication happens over WebSocket to your own OpenClaw gateway +PinchChat is a **static frontend** that connects to your OpenClaw gateway via WebSocket. Key security properties: + +- **No server-side code** — PinchChat is a pure client-side SPA served as static files +- **Runtime authentication** — gateway URL and token are entered at login and stored in `localStorage`, never baked into the build +- **No secrets in the image** — the Docker image contains only static assets; credentials are provided at runtime +- **No telemetry** — PinchChat does not phone home, collect analytics, or send data to third parties + +### Token Handling + +- The gateway token is stored in the browser's `localStorage` +- It is transmitted only over the WebSocket connection to your gateway +- Logging out clears the token from storage +- **If you serve PinchChat over the network, use HTTPS** to protect the token in transit + +### Recommendations + +- Always use `wss://` (WebSocket over TLS) in production +- Restrict gateway access to trusted networks or use a reverse proxy with authentication +- Rotate your OpenClaw gateway token periodically +- Do not share your browser's `localStorage` data ## Reporting a Vulnerability -If you discover a security issue, please **do not** open a public issue. +If you discover a security vulnerability, please report it responsibly: -Instead, email **contact@nicolasvarrot.fr** with: +1. **Do NOT open a public issue** +2. Email **contact@nicolasvarrot.fr** with: + - A description of the vulnerability + - Steps to reproduce + - Potential impact +3. You will receive a response within 72 hours -- A description of the vulnerability -- Steps to reproduce -- Potential impact - -You'll receive a response within 48 hours. Valid reports will be credited in the fix commit. +We appreciate responsible disclosure and will credit reporters (unless they prefer anonymity).