If you've found a security issue in Vela Coach, please do not open a public issue. Instead, email security@vela.partners (or team@vela.partners if security@ bounces) with:
- A description of the vulnerability
- Steps to reproduce
- The version / commit you tested against
- Whether the issue is exploitable on the live deployment at
coach.vela.partners, locally, or both
We aim to:
- Acknowledge your report within 2 business days
- Provide an initial assessment within 5 business days
- Ship a fix within 30 days for high-severity issues
After the fix lands, we'll credit you in the release notes (if you'd like) and publish a brief postmortem if the issue affected production.
In scope:
- The
coach.vela.partnersproduction deployment - The code in this repository and any release artifact built from it (Docker image, npm dependencies we author)
- The Granola OAuth token-exchange proxy (
/api/auth/token) - The Gemini analysis path (
/api/character,/api/chat) - The
/resetflow that wipes localStorage
Out of scope:
- Third-party services we depend on (Granola, Google Gemini, Cloud Run) — report directly to those vendors
- Findings that require a compromised user device or browser extension
- Self-XSS via paste-into-DevTools
- Missing security headers without a demonstrated impact
- Volumetric DoS / resource exhaustion (Cloud Run autoscales; please don't load-test in production)
- Tokens, transcripts, founder profile, and readings stay in the user's browser localStorage. The server is stateless. There is no database.
- Transcripts pass through the server in-memory during analysis (Granola → server → Gemini → user's browser). Logs hold counts and HTTP status codes only — never transcript content or token payloads.
GEMINI_API_KEYis mounted from GCP Secret Manager at runtime. It is never in the bundle, never in version control, and not in logs. If you find a way to retrieve it client-side or via a route, treat that as critical.- OAuth
client_idis public by design (PKCE flow, no client secret).
If your finding contradicts any of those claims, please report it.
- We won't sue you for good-faith security research within the scope above.
- We won't pay a bounty (we're a small project), but we will credit you publicly and we treat every report seriously.
Thank you for helping keep Vela Coach safe.