We release patches for security vulnerabilities for the following versions:

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: security@openplaud.com (or create a private GitHub security advisory)

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Please include the following information in your report:

• Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

This information will help us triage your report more quickly.

When deploying OpenPlaud:

• Never commit .env files to version control
• Use strong, randomly generated values for:
  • BETTER_AUTH_SECRET (min 32 characters)
  • ENCRYPTION_KEY (exactly 64 hex characters)
• Rotate secrets regularly

• Use strong database passwords
• Enable SSL/TLS for database connections in production
• Restrict database access to application servers only
• Regular database backups with encryption

• All API keys and Plaud bearer tokens are encrypted at rest using AES-256-GCM
• Never expose API keys in client-side code
• Rotate API keys periodically
• Use least-privilege access for AI API keys

• Deploy behind HTTPS/TLS in production
• Use reverse proxy (nginx, Caddy) for SSL termination
• Enable CORS only for trusted domains
• Consider rate limiting on API endpoints

• Run containers as non-root user (already configured)
• Keep base images updated
• Scan images for vulnerabilities
• Use Docker secrets for sensitive data

• Local Storage: Ensure proper file permissions (600 for files, 700 for directories)
• S3 Storage:
  • Use IAM roles with minimal permissions
  • Enable encryption at rest
  • Enable access logging
  • Use bucket policies to restrict access

• Enforce strong passwords
• Consider enabling 2FA (future feature)
• Session tokens are httpOnly cookies
• Sessions expire automatically

• Bearer tokens are obtained from plaud.ai and stored encrypted
• Tokens may have long expiration times (controlled by Plaud)
• If compromised, attacker could access Plaud recordings
• Mitigation: Regularly rotate by reconnecting device

• Browser-based transcription downloads ML models (~100-200MB)
• Models are from HuggingFace CDN
• Mitigation: Verify model integrity, use subresource integrity when possible

• Recording files can be large (up to GB)
• Mitigation:
  • Validate file types
  • Implement file size limits
  • Path traversal protection already implemented

• Application fetches from Plaud API and AI providers
• Mitigation:
  • Validate URLs
  • Whitelist allowed domains
  • Use timeouts for external requests

We will notify users of security updates through:

• GitHub Security Advisories
• Release notes
• CHANGELOG.md

When we receive a security bug report, we will:

1. Confirm the problem and determine affected versions
2. Audit code to find similar problems
3. Prepare fixes for all supported versions
4. Release new versions as soon as possible

We aim for a 90-day disclosure timeline from report to public disclosure.

We appreciate the security research community and will acknowledge researchers who report valid security issues (with permission).

For security concerns: security@openplaud.com For general issues: GitHub Issues For discussions: GitHub Discussions