| Version | Supported |
|---|---|
| 0.1.x | Yes |
If you discover a security vulnerability within Aion, please report it responsibly.
Do not open a public issue. Instead, email the maintainers directly with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any suggested fixes (optional)
We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation within 7 days for critical issues.
Aion implements the following security controls:
All sensitive API keys (OpenAI, Gemini, Supabase service role) are stored exclusively as Supabase Edge Function environment variables. The React Native client only holds the public anon key.
Every database table has RLS enabled with strict policies:
bible_verses: Read-only for all users, no client-side writesconversations: Users can only access their own rows (auth.uid() = user_id)messages: Users can only access messages within their own conversationsrate_limits,global_usage,response_cache: No client access (blocked entirely)
Rate limiting is keyed on the client's IP address (via x-forwarded-for), not on spoofable anonymous user IDs:
- 5 requests/minute burst protection
- 30 requests/3 hours per IP
- 200 requests/day global hard cap
If the rate limiting system encounters an error, requests are denied by default rather than allowed through.
Exact-match queries are served from a database cache, eliminating unnecessary LLM API calls and reducing the attack surface for cost-based abuse.
User messages are capped at 500 characters to prevent token-stuffing attacks against the LLM APIs.
A development-only bypass header (x-dev-bypass) is available for testing. It requires a secret stored server-side and is excluded from production builds by leaving EXPO_PUBLIC_DEV_BYPASS empty.
We ask that you give us reasonable time to address any reported vulnerabilities before public disclosure. We are committed to working with security researchers to resolve issues promptly.