docs: add SECURITY.md with security policy and vulnerability reporting

This commit is contained in:
Nicolas Varrot
2026-02-12 20:38:41 +00:00
parent 87f4c8ebf9
commit 32bc43d54f
2 changed files with 36 additions and 13 deletions

View File

@@ -240,6 +240,10 @@ npm run build
See [CHANGELOG.md](CHANGELOG.md) for a detailed history of changes. See [CHANGELOG.md](CHANGELOG.md) for a detailed history of changes.
## 🔒 Security
See [SECURITY.md](SECURITY.md) for the security policy and how to report vulnerabilities.
## 🤝 Contributing ## 🤝 Contributing
Contributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. Contributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.

View File

@@ -4,24 +4,43 @@
| Version | Supported | | Version | Supported |
|---------|-----------| |---------|-----------|
| Latest | ✅ | | Latest release | ✅ |
| Older releases | ❌ |
## Architecture We recommend always running the latest version of PinchChat.
PinchChat is a **static frontend** — it runs entirely in the browser. There is no server-side component. ## Security Model
- Gateway credentials are entered at runtime and stored in `localStorage` PinchChat is a **static frontend** that connects to your OpenClaw gateway via WebSocket. Key security properties:
- No secrets are baked into the build
- All communication happens over WebSocket to your own OpenClaw gateway - **No server-side code** — PinchChat is a pure client-side SPA served as static files
- **Runtime authentication** — gateway URL and token are entered at login and stored in `localStorage`, never baked into the build
- **No secrets in the image** — the Docker image contains only static assets; credentials are provided at runtime
- **No telemetry** — PinchChat does not phone home, collect analytics, or send data to third parties
### Token Handling
- The gateway token is stored in the browser's `localStorage`
- It is transmitted only over the WebSocket connection to your gateway
- Logging out clears the token from storage
- **If you serve PinchChat over the network, use HTTPS** to protect the token in transit
### Recommendations
- Always use `wss://` (WebSocket over TLS) in production
- Restrict gateway access to trusted networks or use a reverse proxy with authentication
- Rotate your OpenClaw gateway token periodically
- Do not share your browser's `localStorage` data
## Reporting a Vulnerability ## Reporting a Vulnerability
If you discover a security issue, please **do not** open a public issue. If you discover a security vulnerability, please report it responsibly:
Instead, email **contact@nicolasvarrot.fr** with: 1. **Do NOT open a public issue**
2. Email **contact@nicolasvarrot.fr** with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
3. You will receive a response within 72 hours
- A description of the vulnerability We appreciate responsible disclosure and will credit reporters (unless they prefer anonymity).
- Steps to reproduce
- Potential impact
You'll receive a response within 48 hours. Valid reports will be credited in the fix commit.