We take the security of ExcelAI seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- ❌ Open a public GitHub issue
- ❌ Discuss the vulnerability publicly
- ❌ Test the vulnerability on production systems
- ✅ Email us at security@excelai.com with details
- ✅ Provide a detailed description of the vulnerability
- ✅ Include steps to reproduce (if possible)
- ✅ Give us reasonable time to respond before disclosure
Send your report to: security@excelai.com
Include the following information:
- Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
- Affected component (e.g., upload system, authentication, API endpoint)
- Steps to reproduce the vulnerability
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Your contact information for follow-up questions
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Varies based on severity (1-30 days)
- Public Disclosure: After fix is deployed and users have had time to update
We appreciate the work of security researchers who help keep ExcelAI safe. With your permission, we will:
- Acknowledge your contribution in our CHANGELOG
- Add you to our Hall of Fame (if you wish)
- Provide a reference letter for your work (upon request)
| Version | Supported |
|---|---|
| 1.x.x | ✅ Yes |
| < 1.0 | ❌ No |
-
Keep your installation up to date
- Enable automatic updates if possible
- Check for updates regularly
-
Use strong API keys
- Never share your API keys
- Rotate keys regularly
- Use environment variables, never hardcode
-
Enable authentication
- Use OAuth providers (Google, Microsoft)
- Enable 2FA where possible
-
Monitor your usage
- Review audit logs regularly
- Set up alerts for unusual activity
-
Never commit sensitive data
- Use
.env.localfor secrets - Check
.gitignorebefore committing - Use tools like
git-secrets
- Use
-
Validate all inputs
- Sanitize user inputs
- Validate file uploads
- Check file types and sizes
-
Follow secure coding practices
- Use parameterized queries
- Implement proper error handling
- Avoid exposing stack traces
-
Keep dependencies updated
- Run
npm auditregularly - Update vulnerable packages promptly
- Use Dependabot for automated updates
- Run
- Maximum file size: 100MB (configurable)
- Allowed file types: .xlsx, .xlsm, .xls only
- File validation: Type and size checked before processing
- Automatic cleanup: Files deleted after 24 hours
- Virus scanning: Recommended for production (not included by default)
- Rate limiting: Implemented per user tier
- Authentication: Required for all API endpoints
- Input validation: All inputs validated and sanitized
- CORS: Configured for specific domains only
- Encryption: Files encrypted during upload and storage
- Data retention: 24 hours by default
- No training: Your data is never used for AI model training
- Compliance: GDPR-compliant data handling
In the event of a security incident:
- We will investigate immediately
- Affected users will be notified within 72 hours
- A detailed incident report will be published
- Fixes will be deployed as soon as possible
- Post-mortem analysis will be conducted
Before deploying to production, ensure:
- All environment variables are set correctly
- Database credentials are secure
- API keys are rotated regularly
- HTTPS is enabled
- CORS is properly configured
- Rate limiting is enabled
- File upload restrictions are in place
- Logging and monitoring are configured
- Backup systems are in place
- Incident response plan is documented
- Security Issues: security@excelai.com
- General Support: support@excelai.com
- GitHub Issues: GitHub Issues (for non-security issues only)
Subscribe to security updates:
- GitHub Watch: Watch this repository for security advisories
- Email List: Subscribe at https://excelai.com/security-updates
- RSS Feed: https://github.com/Lingz450/ExcelAI/security/advisories.atom
Last Updated: November 2025
Thank you for helping keep ExcelAI and our users safe! 🙏