The following versions of BTKCommerce are currently supported with security updates:

As the project matures, we will expand this matrix.

If you discover a security vulnerability in BTKCommerce, please report it responsibly.

Please do not open a public GitHub issue for security vulnerabilities.

Instead, send an email to security@vestavision.io with the following details:

• A description of the vulnerability
• Steps to reproduce the issue
• The potential impact
• Any suggested fix or mitigation

We will acknowledge receipt within 48 hours and work with you to understand and address the issue. We ask that you give us a reasonable amount of time (typically 90 days) to fix the vulnerability before any public disclosure.

BTKCommerce does not pass AI provider credentials through environment variables. All secrets are managed through an encrypted credential store:

• Encryption: ML-KEM-768 + AES-GCM envelope
• Storage: data/credentials/records.json
• Management: Admin UI at /admin/ai-credentials or CLI (go run ./cmd/ops credentials ...)
• Master key: auto-generated at PQ_MASTER_KEY_PATH

When provider credentials are missing, AI features automatically fall back to a mock/rule-based implementation. Routes never error out due to missing credentials.

Production deployments should use an S3-compatible adapter (MinIO, AWS S3, Cloudflare R2). The filesystem adapter is for local development only.

We will publicly acknowledge responsible disclosures (with your permission) in our release notes and security advisories.

Thank you for helping keep BTKCommerce secure!