We release patches for security vulnerabilities in the following versions:

We take security seriously. If you discover a security vulnerability, please follow these steps:

Security vulnerabilities should be reported privately to prevent exploitation.

Send an email to: security@LMWebUI.dev

Include the following information:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)
• Your contact information

• Acknowledgment: We'll acknowledge receipt within 48 hours
• Assessment: We'll assess the vulnerability within 7 days
• Fix: We'll work on a fix and keep you updated
• Disclosure: We'll coordinate public disclosure with you

• 100% Local: No data leaves your device
• No Telemetry: Zero tracking or analytics
• No External APIs: Direct connection to Ollama only
• Local Storage: All data stored locally

• No Cloud Sync: Conversations never leave your device
• No User Tracking: We don't collect any user data
• No Analytics: No usage statistics collected
• No Cookies: Minimal cookie usage for functionality only

• Dependency Scanning: Regular security audits
• Type Safety: TypeScript for type safety
• Input Validation: All inputs are validated
• XSS Protection: React's built-in XSS protection
• CSRF Protection: Same-origin policy enforcement

We perform regular security audits including:

• Dependency vulnerability scanning
• Code security review
• Penetration testing
• Security best practices review

• npm audit: For dependency vulnerabilities
• ESLint security: For code security issues
• OWASP ZAP: For web application security testing
• Snyk: For continuous vulnerability monitoring

• Local Only: Ollama runs locally on your machine
• No Authentication: Ollama doesn't require authentication by default
• Network Access: Ollama listens on localhost:11434
• Model Safety: AI model safety depends on the model itself

• Same-Origin Policy: Enforced by the browser
• Content Security Policy: Implemented where possible
• HTTPS: Required for production deployments
• Secure Headers: Security headers implemented

1. Keep Ollama Updated: Regularly update Ollama
2. Use Trusted Models: Only use models from trusted sources
3. Local Network: Run on trusted local networks only
4. Regular Updates: Keep LMWebUI updated
5. Secure Environment: Run in a secure environment

1. Dependency Updates: Keep dependencies updated
2. Security Headers: Implement proper security headers
3. Input Validation: Validate all user inputs
4. Error Handling: Don't expose sensitive information in errors
5. Code Review: Security-focused code reviews

• All dependencies updated
• Security audit completed
• Vulnerability scan passed
• Security headers implemented
• Input validation in place
• Error handling secure
• No sensitive data in logs
• HTTPS enforced
• Content Security Policy set

• No hardcoded secrets
• Input validation added
• Error handling secure
• No sensitive data exposed
• Security best practices followed
• Code reviewed for security

1. Immediate Response

   • Assess the severity
   • Contain the issue
   • Notify affected users

2. Investigation

   • Root cause analysis
   • Impact assessment
   • Timeline reconstruction

3. Remediation

   • Fix the vulnerability
   • Deploy the fix
   • Monitor for exploitation

4. Communication

   • Public disclosure
   • User notification
   • Lessons learned

For security-related questions or concerns:

• Email: security@LMWebUI.dev
• PGP Key: [Available on request]
• Response Time: Within 48 hours
• Disclosure Policy: Coordinated disclosure

This security policy may be updated from time to time. We will notify users of significant changes through:

• GitHub releases
• Project documentation
• Email notifications (if subscribed)

We thank the security researchers and community members who help us maintain the security of LMWebUI.

Last Updated: January 2025 Version: 1.0 Next Review: July 2025