The BBai project takes security seriously. We appreciate your efforts to responsibly disclose your findings.

To report a security issue, please use the GitHub Security Advisory "Report a Vulnerability" tab.

The BBai team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

As BBai is currently in alpha, we only support the latest version with security updates. Once we reach a stable release, we will provide a table of supported versions here.

Once we have confirmed a security issue, we will:

1. Develop a fix and test it thoroughly.
2. Prepare a security advisory detailing the vulnerability and the fix.
3. Release a new version containing the fix.
4. Publish the security advisory.

While using BBai:

1. Always use the latest version.
2. Do not expose the BBai API to the public internet.
3. Be cautious when using BBai with sensitive data or codebases.
4. Regularly check for and apply updates.
5. Ensure that TLS certificates are properly configured and up-to-date.

BBai requires TLS for secure operation. Here are some important points regarding TLS security:

1. TLS certificates are automatically generated during the initialization process using either mkcert or openssl.
2. If you're using custom certificates, ensure they are from a trusted source and kept up-to-date.
3. The TLS configuration options (api.tlsKeyFile, tlsKeyPem, tlsCertFile, tlsCertPem) should be handled with care, and the key files should be properly secured.
4. Regularly update your TLS certificates to maintain security standards.

Thank you for helping keep BBai and our users safe!