fusionAIze Gate is currently maintained on the latest main branch and the most recent tagged release line.

Do not open a public issue for a suspected vulnerability.

Preferred path:

1. Use GitHub private vulnerability reporting for this repository when available.
2. If private reporting is not available in your GitHub session, open a private GitHub security advisory draft for this repository.
3. Include affected version or commit, reproduction steps, impact, and any suggested mitigation.

Expected handling:

• initial acknowledgement target: within 5 business days
• status update target: within 10 business days after acknowledgement
• coordinated disclosure after a fix or documented mitigation is ready

Please report issues such as:

• request, header, or parameter injection
• dashboard XSS or HTML/CSS injection
• unsafe file-path handling or writable-path assumptions
• auth or secret-handling mistakes
• dependency vulnerabilities with practical impact
• trust-boundary issues between fusionAIze Gate and upstream or local providers

For the v1.0.0 release gate, the reviewed findings and residual risks are summarized in docs/SECURITY-REVIEW-v1.0.0.md.

To reduce risk in deployments:

• keep FAIGATE_DB_PATH outside the repo checkout
• avoid committing .env, database files, SQLite files, logs, or SSH material
• run with the provided systemd hardening or an equivalent container/runtime policy
• keep provider API keys scoped to the minimum set of enabled providers
• keep the default response-security headers enabled unless you have an explicit reverse-proxy reason not to
• tune security.max_json_body_bytes and security.max_upload_bytes to the smallest values that still fit your workloads
• treat x-faigate-* and x-openclaw-* headers as trusted only at the edge you control