NeuroHTTP is an open-source, high-performance AI-native web server built in C and Assembly.
Given its focus on low-level performance and networking, security is a top priority.
This document explains how to responsibly report vulnerabilities and how the team handles them.
If you discover a security vulnerability, please do not open a public GitHub issue.
Instead, contact the maintainer directly via:
- Email: techokba@gmail.com
- GitHub Security Advisories: Submit privately here
Please include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact or exploitation scenarios
- Suggested mitigations (if any)
Once a report is received:
- Acknowledgment: Youβll receive a confirmation within 48 hours.
- Investigation: The issue will be validated and analyzed (1β5 business days).
- Fix & Release: A patch or mitigation will be prepared and tested.
- Disclosure: The vulnerability will be responsibly disclosed after a safe update is available.
This policy covers:
- Core server code (
src/) - Thread and memory management routines
- Networking stack and protocol handlers (HTTP/1.1, HTTP/2, TLS)
- Plugin and module interface (
plugins/) - Authentication, API key, and token mechanisms
It does not cover:
- Third-party libraries used (e.g., OpenSSL, libnghttp2, libcurl)
- User-created plugins or modifications
Note: HTTP/3, WebSocket, and gRPC support are planned but not yet implemented. Claims in other documents about their current availability are aspirational.
The following issues were identified during a comprehensive code audit. They should be addressed before production deployment:
- Stack buffer overflow in base64 decoder (
src/server.c:57-65):b64_decode()writes decoded output without checking against the provided output buffer size. An oversized HTTP2-Settings header can overflow a 128-byte stack buffer. Fixed in latest commit. - Placeholder API key in config (
config/aionic.conf): The tracked config file previously containedapi_key = your-secret-api-key-here. API keys should only be supplied via environment variables. Fixed in latest commit.
- Content-Length integer overflow (
src/server.c:284,894): ParsingContent-Lengthwithatoi()allows negative values and silent wraparound, potentially bypassing body size checks. Fixed in latest commit (usesstrtolwith validation). - Uninitialized firewall mutex (
src/firewall.c:50):global_firewall.mutexwas used without static or dynamic initialization. Fixed in latest commit.
- Unchecked strdup() returns in config parser (
src/config.c:43,90-93): OOM conditions could lead to NULL pointer dereference. Fixed in latest commit. - Empty plugin file (
plugins/limiter.c): 0-byte file would crashdlopen. Fixed in latest commit.
config/key.pemandconfig/cert.pemexist on disk but are gitignored (config/*.pemin.gitignore). They should be treated as secrets and regenerated for production.- The AI model definitions in
aionic.confcorrectly reference environment variable names (e.g.,GROQ_API_KEY) rather than embedding keys.
We strongly encourage responsible, coordinated disclosure. Security researchers who follow this policy will receive full credit in release notes and acknowledgments.
If youβve found something critical, your contribution may also be featured in the "Security Hall of Fame" section of the README.
GUIAR OQBA π©πΏ
Creator & Lead Developer of NeuroHTTP
Focused on AI infrastructure, performance, and security in low-level systems.
π§ techokba@gmail.com
π https://github.com/okba14/NeuroHTTP
βPerformance without security is just an exploit waiting to happen.β
β NeuroHTTP Security Team