-
Notifications
You must be signed in to change notification settings - Fork 4
Security
KingArthur000 edited this page May 25, 2026
·
1 revision
Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.
Report them privately by email to:
security@forgemind.in — subject line:
SECURITY: <short summary>
- A description of the vulnerability and its potential impact.
- Step-by-step instructions to reproduce it.
- The affected version, commit hash, or deployment URL.
- Any proof-of-concept code, requests, or screenshots.
- Whether the issue is already publicly known or being exploited.
| Stage | Target |
|---|---|
| Acknowledge your report | within 3 business days |
| Initial triage & severity assessment | within 7 days |
| Coordinated public disclosure (after a fix is available) | within 90 days |
You'll be kept informed of progress and credited in the disclosure if you wish. Full scope and safe-harbour terms are in SECURITY.md.
Because you self-host ForgeChat, you're responsible for your deployment. At a minimum:
-
Never commit
backend/.envor any secret. KeepFORGECRM_ENCRYPTION_KEY,JWT_SECRET, andMETA_WEBHOOK_VERIFY_TOKENsecret and unique. - Keep your Meta access tokens private (ForgeChat stores them encrypted at rest with AES-256-GCM).
- Serve only over HTTPS/TLS, and never expose your PostgreSQL or Redis ports publicly.
- Keep ForgeChat, its dependencies, and the base Docker images up to date.
See also: Contributing • Configuration & Environment Variables • FAQ
ForgeChat · fair-code under the Sustainable Use License · © 2026 Forgemind Techhub LLP. Forgemind AI is a trademark of Forgemind Techhub LLP — see TRADEMARK.md.
Setup
Using ForgeChat
Help
Project