Soth is in active development. Security fixes are applied to the latest
released version on the stable channel. We do not backport fixes to older
releases at this stage.
| Version | Supported |
|---|---|
Latest stable |
Yes |
Latest canary |
Yes |
| Older releases | No |
Please do not open a public GitHub issue for security vulnerabilities.
Soth intercepts and inspects TLS traffic and operates a local MITM CA. A disclosed-before-patched vulnerability could expose user credentials, session tokens, or model API keys. We take this seriously.
Two ways to report privately:
- Preferred — open a GitHub Security Advisory in this repository. This creates a private discussion thread visible only to maintainers.
- Email —
security@soth.ai. Include a clear description, steps to reproduce, affected versions, and any proof-of-concept. PGP encryption is available on request.
- We will acknowledge your report within 2 business days.
- We will provide a preliminary assessment within 7 days, including whether we accept the issue and an expected timeline.
- We will keep you updated as we work on a fix.
- We will credit you in the advisory (unless you prefer to remain anonymous).
In scope:
- The
sothCLI and binaries it produces. - All crates in this repository.
- The MITM CA generation and trust flow.
- The local ops HTTP server.
Out of scope (please report to the relevant project):
- Vulnerabilities in upstream dependencies (rustls, tokio, etc.) — report to those projects; we will pick up the fix on their release.
- Misconfigurations of policies a user wrote themselves.
- Anything requiring physical access to the user's machine.
We follow coordinated disclosure: we will work with the reporter to ship a fix on the stable channel before any public details are released. Once a fix is available, we will publish a GitHub Security Advisory with CVE, affected versions, and credit.