Skip to content

Security: Vela-Eng-Lab/coach

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you've found a security issue in Vela Coach, please do not open a public issue. Instead, email security@vela.partners (or team@vela.partners if security@ bounces) with:

  • A description of the vulnerability
  • Steps to reproduce
  • The version / commit you tested against
  • Whether the issue is exploitable on the live deployment at coach.vela.partners, locally, or both

We aim to:

  • Acknowledge your report within 2 business days
  • Provide an initial assessment within 5 business days
  • Ship a fix within 30 days for high-severity issues

After the fix lands, we'll credit you in the release notes (if you'd like) and publish a brief postmortem if the issue affected production.

Scope

In scope:

  • The coach.vela.partners production deployment
  • The code in this repository and any release artifact built from it (Docker image, npm dependencies we author)
  • The Granola OAuth token-exchange proxy (/api/auth/token)
  • The Gemini analysis path (/api/character, /api/chat)
  • The /reset flow that wipes localStorage

Out of scope:

  • Third-party services we depend on (Granola, Google Gemini, Cloud Run) — report directly to those vendors
  • Findings that require a compromised user device or browser extension
  • Self-XSS via paste-into-DevTools
  • Missing security headers without a demonstrated impact
  • Volumetric DoS / resource exhaustion (Cloud Run autoscales; please don't load-test in production)

Threat Model (Quick)

  • Tokens, transcripts, founder profile, and readings stay in the user's browser localStorage. The server is stateless. There is no database.
  • Transcripts pass through the server in-memory during analysis (Granola → server → Gemini → user's browser). Logs hold counts and HTTP status codes only — never transcript content or token payloads.
  • GEMINI_API_KEY is mounted from GCP Secret Manager at runtime. It is never in the bundle, never in version control, and not in logs. If you find a way to retrieve it client-side or via a route, treat that as critical.
  • OAuth client_id is public by design (PKCE flow, no client secret).

If your finding contradicts any of those claims, please report it.

What we won't do

  • We won't sue you for good-faith security research within the scope above.
  • We won't pay a bounty (we're a small project), but we will credit you publicly and we treat every report seriously.

Thank you for helping keep Vela Coach safe.

There aren't any published security advisories