Skip to main content
Thanks for helping us keep Theo safe. OpenCharts is the parent company behind Theo, and security@opencharts.com is the single inbox that covers every product we operate. Every message lands with the security team — not a general support queue.

Reporting a vulnerability

Email security@opencharts.com with as much detail as possible. We prefer:
  1. A short description of the issue.
  2. Reproduction steps — a minimal request, command, or script works best.
  3. The impact you believe the issue has.
  4. Your contact info if you want credit.
Please do not open a public GitHub issue, social-media post, or blog for suspected vulnerabilities.

What happens next

  • Within 2 business days: you receive an acknowledgement that a human has read your report.
  • Within 7 business days: we share a triage decision (accepted, duplicate, out of scope, needs more info).
  • Throughout the fix: we keep you updated and coordinate a disclosure date if one is warranted.
This page is the canonical disclosure pointer. Our machine-readable equivalent is at hitheo.ai/.well-known/security.txt.

Scope

In scope

  • hitheo.ai, api.hitheo.ai, docs.hitheo.ai, artifacts.hitheo.ai
  • The Theo dashboard, API routes, and the embed widget runtime
  • The four public npm packages: @hitheo/sdk, @hitheo/mcp, @hitheo/telegram, @hitheo/whatsapp
  • Our GitHub Actions workflows (.github/workflows/**)

Out of scope

  • Denial-of-service testing against our production endpoints
  • Social-engineering of our team or customers
  • Physical access to our infrastructure
  • Issues that require an attacker to already control the victim’s browser, operating system, email account, npm account, or GitHub account

Safe harbor

We will not pursue legal action against researchers who:
  1. Follow this policy in good faith.
  2. Do not deliberately access or modify other users’ data beyond what’s necessary to demonstrate the issue.
  3. Avoid techniques that degrade service for other customers.
  4. Give us reasonable time to fix the issue before public disclosure.

Supply chain: verifying npm provenance

Every official @hitheo/* package ships with an npm provenance attestation signed by GitHub’s OIDC token. You can verify the tarballs you install with: 
npm audit signatures
See the Authentication page for a deeper walkthrough of how supply-chain provenance works on Theo.

Secrets hygiene

If you find leaked credentials — API keys, database URLs, Clerk secrets, Cloudflare tokens, and so on — in our code, logs, or any public surface, please email security@opencharts.com. We will rotate the affected secret and notify customers whose data might have been exposed. We maintain a list of secret-shaped patterns in our logger so leaked values are redacted before they leave the process. A report of a leak that slipped past our scrubber is especially welcome.