If you discover a security vulnerability in Yavio, please report it responsibly. Do not open a public GitHub issue.
Email: security@yavio.ai
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Suggested fix (if any)
| Step | Target |
|---|---|
| Acknowledgment | Within 24 hours |
| Initial assessment | Within 3 days |
| Fix released | Within 7 days for critical issues |
- Report the vulnerability via email to security@yavio.ai
- We will acknowledge receipt within 24 hours
- We will investigate and keep you updated on progress
- Once a fix is ready, we will coordinate disclosure with you
- We will credit you in the release notes (unless you prefer to remain anonymous)
This policy covers:
@yavio/sdk(npm package)@yavio/cli(npm package)yavio/dashboard(Docker image)yavio/ingest(Docker image)- The Yavio Cloud service at
*.yavio.ai
- Vulnerabilities in third-party dependencies (report these upstream, but let us know if they affect Yavio)
- Social engineering attacks
- Denial of service attacks
- Issues in environments running unsupported or heavily modified versions
- Always run behind a TLS-terminating reverse proxy in production
- Set strong, unique values for
NEXTAUTH_SECRET,JWT_SECRET,API_KEY_HASH_SECRET, andENCRYPTION_KEY - Never expose database ports (5432, 8123, 9000) to the public internet
- Keep Docker images updated (
yavio update) - Review the deployment documentation for production hardening