If you discover a security vulnerability in Helix, please report it responsibly.
Do not open a public issue. Instead, please email the maintainers directly with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
We will acknowledge your report within 48 hours and aim to provide a fix or mitigation within 7 days for critical issues.
Helix handles the following sensitive data:
- Authentication: Managed by Clerk. User sessions and credentials are never stored directly.
- API Keys: Google AI API keys and other secrets are stored as environment variables, never committed to the repository.
- Database: PostgreSQL via Prisma. All API routes authenticate requests through Clerk before accessing data.
- Webhooks: Clerk webhooks are verified using Svix signatures.
- Never commit
.envfiles, API keys, or credentials - Use parameterized queries (Prisma handles this by default)
- Validate and sanitize all user input at API boundaries
- Keep dependencies up to date