We take security vulnerabilities seriously. If you discover a security issue in MomShell, please report it responsibly.

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

1. GitHub Security Advisories (Preferred) Report a vulnerability

2. Email Contact the maintainers directly (see repository maintainer profiles)

Please include the following information in your report:

• Type of vulnerability (e.g., SQL injection, XSS, authentication bypass)
• Affected component (Soul Companion, Sisterhood Bond, Echo/Memoir, Photo Gallery, Whisper, Tasks, Admin Panel, API, etc.)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Potential impact of the vulnerability
• Any suggested fixes (optional)

• Acknowledgment: We will acknowledge receipt of your report within 48 hours
• Assessment: We will investigate and assess the severity of the issue
• Updates: We will keep you informed of our progress
• Resolution: We aim to resolve critical vulnerabilities promptly
• Credit: We will credit you in our release notes (unless you prefer to remain anonymous)

When deploying MomShell, please ensure:

1. Environment Variables

   • Never commit .env files or API keys to version control
   • Use secure secret management for OPENAI_API_KEY
   • Change JWT_SECRET_KEY to a secure random value in production
   • Rotate API keys periodically

2. Network Security

   • Use HTTPS in production (configure SSL/TLS in Nginx)
   • Restrict API access to trusted origins (CORS configuration)
   • Use firewalls to limit exposed ports

3. Database Security

   • Use strong, unique passwords for PostgreSQL access
   • Regularly backup the database
   • Restrict network access to the database port

4. Docker Security

   • Keep base images updated
   • Don't run containers as root in production
   • Use Docker secrets for sensitive data

5. Content Moderation

   • Review and customize sensitive content filters for your deployment
   • Monitor flagged content regularly
   • Ensure crisis intervention workflows are properly configured

The following are in scope for security reports:

• Authentication and authorization vulnerabilities
• Data exposure or leakage
• Injection attacks (SQL, command, etc.)
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Insecure direct object references
• Security misconfigurations in default settings
• Vulnerabilities in dependencies

The following are out of scope:

• Denial of service (DoS) attacks
• Social engineering attacks
• Physical security issues
• Issues in third-party services (ModelScope API, etc.)
• Issues requiring physical access to the server

We thank all security researchers who help keep MomShell and its users safe.