If you discover a security vulnerability in the LiveFolders Registry or CLI, please report it responsibly:
- Do not open a public GitHub issue for security vulnerabilities.
-
Email natan@gaiahub.ai with subject line
[SECURITY] LiveFolders — <brief summary>.
- Include a description of the issue, reproduction steps, and potential impact.
We aim to acknowledge reports within 2 business days and provide
a resolution timeline within 7 business days.
The LiveFolders Registry uses the following controls to protect the service and its users:
- Rate limiting — All API endpoints enforce per-IP rate limits via Upstash Redis to prevent abuse.
- Input validation — Publish requests validate GitHub token ownership before any write occurs. YAML payloads are parsed and rejected on malformed input.
- No secret storage — GitHub tokens are never persisted; they are used only in-flight to verify ownership.
- Parameterized queries — All database access uses parameterized SQL to prevent injection.
- Dependency scanning — Dependencies are reviewed on each deployment; critical CVEs trigger immediate patch releases.
-
The Registry does not scan or vet the contents of published tool repositories.
Users should review source code before installing any third-party tool.
-
Tool installs execute on the user’s machine. The CLI does not sandbox execution
at install time; treat all tools as untrusted code unless you have audited the source.
The following are in scope for responsible disclosure:
- Authentication or authorization bypass on the publish API
- SQL injection or data exfiltration from the registry database
- Rate-limit bypass allowing registry spam
- Malicious package injection / namespace squatting