Security

bcat is built for users who care about privacy and security. This page summarises the security posture of the chat.bcat.app surface and the brodycat.com marketing site, and explains how to report a vulnerability.

Posture summary

• Local inference. Models run on the same VPS as the app via Ollama; prompts never leave the host.
• Auth. Google OAuth → short-lived JWT, verified server-side with jwks-rsa.
• Transport. TLS 1.3 with HSTS, OCSP stapling, and post-quantum hybrid where the client supports it.
• HTTP headers. CSP with nonce, COOP / COEP / CORP, Referrer-Policy, X-Content-Type-Options, X-Frame-Options.
• Email. SPF + DKIM + DMARC p=reject, MTA-STS, TLS-RPT.
• Privileges. Server runs as www-data under systemd with ProtectHome=yes and a single NOPASSWD entry restricted to systemctl restart bcat.service.
• Self-update. Admin endpoint performs a fast-forward git pull only — no arbitrary remotes, no force resets.

Reporting vulnerabilities

Email security@aegyrix.com with details and reproduction steps. We acknowledge within 72 hours and aim to issue a fix within 14 days for high-severity issues.

You can also see /.well-known/security.txt (RFC 9116).