Skip to content

Security: byte271/ByeBrief

Security

SECURITY.md

ByeBrief Security

Overview

ByeBrief is designed with privacy and security as core principles. This document outlines our security practices.

Data Storage

Local Storage Only

All investigation data is stored in browser localStorage:

  • Canvas nodes and edges
  • Notes
  • Settings
  • Session recordings
  • Audit logs

Data never leaves your machine unless you explicitly:

  • Export to a file
  • Use web search (opt-in)
  • Copy content to clipboard

API Keys

API keys for search services (Brave, Tavily) are stored in localStorage:

  • Stored in plain text in browser storage
  • Only sent to the respective search API
  • Never sent to ByeBrief servers (there are none)

Recommendation: Use dedicated API keys for ByeBrief and rotate them regularly.

Privacy Guarantees

No Telemetry

  • No usage analytics
  • No error reporting
  • No crash logs sent anywhere

No Cloud Sync

  • No account required
  • No data uploaded to any server
  • No third-party data processing

Local AI

  • Ollama runs on localhost
  • AI prompts stay on your machine
  • No external AI API calls (unless you configure them)

Data Retention

Session Data

  • Stored in localStorage until explicitly cleared
  • No automatic expiration
  • User can delete via Settings → UI → Clear Data

Export Files

  • Generated in browser memory only
  • Downloaded directly to user's device
  • No server-side processing

Audit Logs

  • Stored locally with investigation data
  • Exportable for compliance purposes
  • Deleted when user clears investigation

Browser Security

Same-Origin Policy

  • Application runs entirely client-side
  • No server-side code execution
  • Sandboxed by browser security model

Content Security Policy

  • No inline scripts (React handles this)
  • No external resource loading (except user-configured APIs)

User Responsibilities

Protecting Your Data

  1. Clear browser data - Use Settings → UI → Clear Data when done
  2. Don't share URLs - URLs may contain investigation data
  3. Secure API keys - Don't commit API keys to version control
  4. Local network - Only run on trusted networks

API Key Best Practices

# Don't add API keys to any config files in the repo
# Only enter them in the browser Settings UI
# Use environment variables if integrating externally

Reporting Security Issues

If you discover a security vulnerability, please report it via GitHub issues with "security" label.

Changes to This Policy

We may update this policy periodically. Users will be notified of material changes via release notes.

There aren’t any published security advisories