| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
We take security seriously at ralph-starter. If you discover a security vulnerability, please follow these steps:
- Open a public GitHub issue for security vulnerabilities
- Disclose the vulnerability publicly before it has been addressed
- Email us directly at ruben@rubenmarcus.dev (or open a private security advisory on GitHub)
- Include as much detail as possible:
- Type of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Resolution Timeline: Depends on severity, typically 30-90 days
| Level | Description | Target Resolution |
|---|---|---|
| Critical | Remote code execution, credential theft | 7 days |
| High | Data exposure, authentication bypass | 14 days |
| Medium | Limited data exposure, DoS | 30 days |
| Low | Minor issues, hardening | 90 days |
ralph-starter handles sensitive credentials including:
- API Keys: Linear, Notion, GitHub, Figma
- OAuth Tokens: Various integrations
- LLM API Keys: Anthropic, OpenAI, OpenRouter
- Local Storage: Credentials are stored in
~/.ralph-starter/with restricted permissions - No Telemetry: We do not collect or transmit your credentials
- No Logging: Credentials are never logged or included in error reports
- Memory Only: OAuth tokens are handled in memory during authentication flows
- Use environment variables when possible (
ANTHROPIC_API_KEY, etc.) - Never commit
.ralph-starter/directory - Use GitHub CLI (
gh) instead of personal access tokens when possible - Regularly rotate API keys
- Use tokens with minimal required scopes
Security updates are released as patch versions (e.g., 0.1.1 -> 0.1.2) and announced via:
- GitHub Releases
- npm package updates
We recommend always using the latest version.
We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities (with permission) in our release notes.