We take the security of mAIcro seriously. If you believe you have found a security vulnerability, please report it to us as soon as possible.
How to Report:
- Confidential Reporting: Please email us at microclubit@gmail.com.
- GitHub Security Advisory: Alternatively, you can use the "Report a vulnerability" button on GitHub.
Please include:
- A description of the vulnerability.
- Steps to reproduce the issue.
- Potential impact.
We will acknowledge your report within 48 hours and provide a timeline for resolution.
To keep your mAIcro instance secure, please follow these guidelines:
mAIcro relies on several sensitive API keys:
GEMINI_API_KEYQDRANT_API_KEYDISCORD_BOT_TOKEN
Never commit these keys to version control. Always use the .env file (which is included in .gitignore) or use a secure secret management service (like GitHub Secrets, AWS Secrets Manager, or HashiCorp Vault).
When setting up your Discord bot, only grant the minimum required permissions:
View ChannelsRead Message HistoryMessage Content Intent(required for RAG functionality)
Avoid granting Administrator or other broad permissions unless absolutely necessary for your specific use case.
Use separate API keys and Qdrant collections for development and production environments to prevent accidental data loss or exposure.
Regularly pull the latest Docker image (ghcr.io/microclub-usthb/maicro:latest) to ensure you have the latest security patches and features.