> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hitheo.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Disclosure Policy

> How to report a security vulnerability and what happens next. All reports go to security@opencharts.com.

Thanks for helping us keep Theo safe. OpenCharts is the parent company behind
Theo, and `security@opencharts.com` is the single inbox that covers every
product we operate. Every message lands with the security team — not a
general support queue.

## Reporting a vulnerability

Email **[security@opencharts.com](mailto:security@opencharts.com)** with as
much detail as possible. We prefer:

1. A short description of the issue.
2. Reproduction steps — a minimal request, command, or script works best.
3. The impact you believe the issue has.
4. Your contact info if you want credit.

Please **do not** open a public GitHub issue, social-media post, or blog
for suspected vulnerabilities.

### What happens next

* **Within 2 business days**: you receive an acknowledgement that a human
  has read your report.
* **Within 7 business days**: we share a triage decision (accepted,
  duplicate, out of scope, needs more info).
* **Throughout the fix**: we keep you updated and coordinate a
  disclosure date if one is warranted.

This page is the canonical disclosure pointer. Our machine-readable
equivalent is at
[`hitheo.ai/.well-known/security.txt`](https://hitheo.ai/.well-known/security.txt).

## Scope

### In scope

* `hitheo.ai`, `api.hitheo.ai`, `docs.hitheo.ai`, `artifacts.hitheo.ai`
* The Theo dashboard, API routes, and the embed widget runtime
* The four public npm packages: `@hitheo/sdk`, `@hitheo/mcp`,
  `@hitheo/telegram`, `@hitheo/whatsapp`
* Our GitHub Actions workflows (`.github/workflows/**`)

### Out of scope

* Denial-of-service testing against our production endpoints
* Social-engineering of our team or customers
* Physical access to our infrastructure
* Issues that require an attacker to already control the victim's
  browser, operating system, email account, npm account, or GitHub
  account

## Safe harbor

We will not pursue legal action against researchers who:

1. Follow this policy in good faith.
2. Do not deliberately access or modify other users' data beyond what's
   necessary to demonstrate the issue.
3. Avoid techniques that degrade service for other customers.
4. Give us reasonable time to fix the issue before public disclosure.

## Supply chain: verifying npm provenance

Every official `@hitheo/*` package ships with an npm provenance
attestation signed by GitHub's OIDC token. You can verify the tarballs
you install with:

```bash theme={null}
npm audit signatures
```

See the [Authentication](/security/authentication) page for a deeper
walkthrough of how supply-chain provenance works on Theo.

## Secrets hygiene

If you find leaked credentials — API keys, database URLs, Clerk
secrets, Cloudflare tokens, and so on — in our code, logs, or any
public surface, please email `security@opencharts.com`. We will rotate
the affected secret and notify customers whose data might have been
exposed.

We maintain a list of secret-shaped patterns in our logger so leaked
values are redacted before they leave the process. A report of a leak
that slipped past our scrubber is especially welcome.
