We actively support and provide security updates for the following versions of CACI (Code Assistant Configuration Interface):
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security seriously and appreciate your help in making CACI (Code Assistant Configuration Interface) safe for everyone.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities to us via one of the following methods:
- Email: Send details to eladbenhaim@gmail.com
- GitHub Security Advisory: Use GitHub's private vulnerability reporting feature
When reporting a vulnerability, please include as much of the following information as possible:
- A description of the vulnerability and its potential impact
- Steps to reproduce the vulnerability
- Affected versions
- Any possible mitigations or workarounds
- Your contact information for follow-up questions
We will respond to your report within 48 hours and aim to provide regular updates every 72 hours until the issue is resolved.
Our typical response process:
- Acknowledgment (within 48 hours)
- Investigation (within 7 days)
- Fix development (timeline varies based on complexity)
- Testing and validation (within 3 days of fix)
- Release and disclosure (coordinated with reporter)
- Dependency Scanning: Automated vulnerability scanning of all dependencies
- Code Analysis: Static analysis for security vulnerabilities
- Secret Scanning: Automated detection of accidentally committed secrets
- Container Security: Docker image vulnerability scanning
- License Compliance: Verification of dependency licenses
- Code Reviews: All code changes require review before merge
- Automated Testing: Comprehensive test suite including security tests
- Minimal Dependencies: We keep dependencies to a minimum and regularly audit them
- Principle of Least Privilege: Applications and containers run with minimal required permissions
CACI (Code Assistant Configuration Interface):
- No Data Collection: We do not collect personal data or usage analytics
- Local Processing: All analysis is performed locally on your machine
- API Keys: When API keys are used, they are processed locally and not stored
- File Access: Only reads configuration files you specify
This security policy applies to:
- The main CACI CLI tool
- Official Docker images
- Official NPM packages
- Documentation and examples
The following are outside the scope of our security policy:
- Vulnerabilities in third-party dependencies (please report these to the respective maintainers)
- Issues requiring physical access to a machine
- Social engineering attacks
- Issues in development or test environments
To use CACI securely:
- Environment Variables: Store API keys in environment variables, not in code
- File Permissions: Ensure configuration files have appropriate permissions
- Key Rotation: Regularly rotate API keys
- Monitoring: Monitor API key usage for unexpected activity
- Verify Checksums: Verify package checksums when installing
- Use Official Sources: Only install from official NPM or GitHub releases
- Keep Updated: Regularly update to the latest version
- Scan Dependencies: Regularly audit your project dependencies
- Review Output: Review generated configurations before applying them
- Backup Configurations: Keep backups of important configuration files
- Validate Inputs: Be cautious with configuration files from untrusted sources
Security updates are released as:
- Patch releases (1.0.x) for backward-compatible security fixes
- Minor releases (1.x.0) for security fixes requiring minor changes
- Major releases (x.0.0) for security fixes requiring breaking changes
All security updates are:
- Released as soon as possible after a fix is validated
- Announced in the GitHub releases
- Documented in the changelog
- Tagged with security labels
We appreciate security researchers and users who help make CACI more secure. Contributors who report valid security vulnerabilities will be acknowledged in our release notes (unless they prefer to remain anonymous).
For any questions about this security policy, please contact:
- Email: eladbenhaim@gmail.com
- GitHub Issues: For non-security related questions only
This security policy is effective as of [Current Date] and may be updated from time to time.