GroqTales follows a rolling support window. The latest minor release receives full support (features + security). The previous minor receives security and critical bug fixes only. Older releases are considered End of Security Support (EoSS).
| Version | Status | Support Level | Notes |
|---|---|---|---|
| 2.0.2 | ✅ Active (Latest) | Full (features + security) | Current production release |
| 2.0.1 | ✅ Active (Previous) | Security & critical bug fixes | Upgrade recommended |
| 2.0.0 | Critical security only | Security maintenance — upgrade ASAP | |
| < 2.0.0 | ❌ EoSS | No updates | Please upgrade immediately |
Important
Version 2.0.2 introduces critical fixes for hydration mismatches, Next.js 15+ async cookies() requirement compliance for Supabase @supabase/ssr server-side clients, and local TTS generation endpoints.
Upgrading to 2.0.2 is strongly recommended.
- GitHub Private Reporting (Recommended): Please report vulnerabilities via the Security Tab on GitHub. This is the most secure way to reach us.
- Contact Us Privately: If you cannot use GitHub, email mantejarora@gmail.com. For highly sensitive details, you may request our PGP public key via email before sending the full report.
- Description of the vulnerability and its potential impact
- Steps to reproduce (including environment details)
- Any proof-of-concept code or screenshots
- Suggested fix, if available
| Stage | Target SLA |
|---|---|
| Acknowledgement | 48 hours |
| Triage & Severity | 72 hours |
| Fix (Critical/High) | 3–5 days |
| Fix (Medium/Low) | 14–30 days |
| Public Disclosure | Up to 90 days (coordinated) |
We welcome reports regarding our backend, smart contracts, AI implementation, and frontend security.
- Prompt Injection: Bypassing system prompts to access internal logic or user data.
- Insecure Output Handling: AI-generated content that executes malicious scripts (XSS).
- Training Data Poisoning: Malicious manipulation of training data or fine-tuning processes to introduce backdoors or biases.
- Sensitive Information Disclosure: AI outputs that leak API keys, internal paths, or PII.
- Non-Security Issues: AI "Hallucinations" (making things up) or generic "jailbreaks" that do not lead to data exposure are considered Out-of-Scope.
| Severity | Example Impact | Target Fix Window |
|---|---|---|
| Critical | RCE, AI-driven data exfiltration, key compromise | 24–72 hours |
| High | Auth bypass, prompt injection leaking system logs | 3–5 days |
| Medium | XSS via AI output, SSRF with limited scope | < 14 days |
| Low | Reflected XSS, minor info disclosure | < 30 days |
| Informational | Best practice deviation | As capacity |
- Report received via GitHub Security Advisory or private email
- Triage & severity classification — target within 48 hours
- Reproduction + impact assessment
- Patch development on private branch
- Optional coordinated disclosure window (up to 90 days for High/Critical if complex)
- Release new patched version & update CHANGELOG (Security section)
- Public disclosure (if warranted) and reporter credit
- Dependencies are regularly audited via
npm auditand automated scanning tools - Secure coding practices enforced through code reviews, ESLint, and TypeScript strict mode
- Helmet.js for HTTP header hardening on all Express routes
- Rate limiting (
express-rate-limit) on public API endpoints - Input validation via
express-validatorand Zod schemas - CORS configured to restrict cross-origin access
- Environment secrets managed via
.env.local(never committed to version control) - WCAG 2.1 AA accessibility compliance reduces attack surface from misleading UI
- Supabase Row Level Security (RLS) enforced on all tables
- WalletConnect signature verification for wallet-based authentication
GroqTales takes the security of user data seriously. We implement industry-standard measures to protect data both in transit and at rest:
- HTTPS enforced in production
- PostgreSQL/Supabase DB connections authenticated and encrypted with Row Level Security (RLS)
- Secure session management with encrypted JWT tokens managed via Supabase Auth
- No secrets exposed in client-side bundles
- Wallet signatures verified server-side (Ethereum
personal_sign) - Platform signer private key isolated to server-side only (never exposed to client)
- Supabase Storage buckets with RLS policies (public read, authenticated upload, owner-only delete)
- Story engagement data (votes, comments, saves) protected by per-user RLS policies
- Dependencies are monitored during routine update cycles and via GitHub Dependabot
- High/Critical advisories trigger an expedited patch release
- Smart contract dependencies and compiler versions are pinned in
foundry.toml/ related config - React, Next.js, and Express versions are kept within supported LTS windows
If you find a vulnerability in a third-party package we use that directly affects GroqTales, you may still report it — include the upstream advisory if available.
- Principle of Least Privilege for all service/API keys
- Input validation & output encoding for user content rendering
- Separation of client/server data — no secrets in client bundles
- Avoid dynamic
eval/ code generation in runtime paths - Rate limiting and abuse detection for public endpoints
- Content Security Policy headers via Helmet
- Server-side rendering (SSR) safe patterns — no raw
document/windowaccess without guards - Worker endpoints protected by shared
WORKER_SECRETfor internal-only access - Outbound AI API calls (Gemini, Groq) protected with 30-second
AbortControllertimeout - Sarvam TTS API calls gated behind authentication middleware
- Docker health checks using
/healthzliveness probe
| Component | Technology | Version |
|---|---|---|
| Runtime | Node.js | ≥ 22.0.0 |
| Framework | Next.js | 14.1.0 |
| Backend | Express.js | 5.1.0 |
| Database | Supabase (PostgreSQL) | latest |
| Storage | Supabase Storage (S3-compatible) | latest |
| Auth | Supabase Auth + Wallet Signatures | 2.x |
| AI (Chairman) | Google Gemini | latest |
| AI (Tasks) | Groq LPU | latest |
| TTS | Sarvam AI Bulbul v3 | latest |
| Blockchain | Ethereum Mainnet via Alchemy | latest |
| Wallet | WalletConnect v2 + MetaMask | latest |
| HTTP Security | Helmet | 8.x |
| Rate Limiting | express-rate-limit | 8.x |
| Validation | Zod + express-validator | 3.x / 7.x |
| TypeScript | TypeScript (strict) | 5.8.x |
| Container | Docker (multi-stage build) | latest |
Thank you for helping keep GroqTales and our community safe!