journalAI is a self-hosted application that handles private journal entries and encryption keys. I take reports seriously.
Only the latest tagged release on main is supported. Please verify the
issue still reproduces against main before reporting.
Please do not open public GitHub issues for security problems.
Email: security+journalai@bonquiz.site
Please include:
- A description of the issue and its impact (what an attacker can do).
- Reproduction steps — minimal config, exact commands, expected vs. actual behavior. A working PoC against a fresh deployment is ideal.
- Affected commit/tag.
- Your preferred contact and whether you want credit in the advisory.
- Acknowledgement within 72 hours.
- Initial assessment within 7 days.
- Coordinated disclosure: I'll keep you in the loop as a fix is prepared and agree on a public-disclosure date before publishing. For critical issues I aim to ship a fix within 14 days.
In-scope:
- Backend (
backend/): auth, session handling, SQLCipher integration, API routes, import/export, embedding worker. - Frontend (
frontend/): auth flow, CSRF handling, cookie handling, SPA state management. - Deployment templates in
deploy/andscripts/when used as documented. - Supply-chain issues in our direct dependencies (pinned via
pyproject.tomlandpackage.json).
Out of scope:
- Vulnerabilities in upstream LLM/STT/TTS/embedding providers you configure. Report those to the respective vendor.
- Issues that require physical access to the server or an already-compromised host.
- Denial of service by exhausting resources you fully control (send your own server 10k requests/second — that's on you).
- Always set
APP_PASSWORDto a strong value (the config validator rejects obvious weak defaults, but you should go beyond the minimum). - Keep
DB_ENCRYPTION_KEY,SESSION_SECRET,SECRET_KEY_WRAPsecret. LosingDB_ENCRYPTION_KEYmeans losing all entries — there is no recovery. - Place the app behind TLS. The bundled Caddy config does this automatically
when you set
DOMAINto a real hostname. - For additional defense-in-depth, consider an SSO gateway (Cloudflare Access, Authelia, Pomerium) in front of the app.