Skip to content

Security: The-Distillery-dev/thedistillery

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
latest Yes

Security Model

The Distillery is a loopback proxy. It never stores your Anthropic API key. Your API key travels directly from your local machine to Anthropic's API; The Distillery only reads token counts for billing purposes (BYOK model).

What this means for self-hosters:

  • No API keys are stored server-side
  • The proxy MUST bind to 127.0.0.1 only (loopback)
  • Binding to 0.0.0.0 is unsupported and exposes your Anthropic key to the network

Reporting a Vulnerability

To report a security vulnerability, email stijnwilliam@gmail.com with:

  • A description of the vulnerability
  • Steps to reproduce
  • Impact assessment

Do not open a public GitHub issue for security vulnerabilities.

We will acknowledge receipt within 48 hours and aim to resolve confirmed vulnerabilities within 90 days of disclosure.

Scope

In scope: The Distillery proxy server, CLI, and dashboard. Out of scope: Third-party dependencies (report to their maintainers), issues requiring physical access to the machine, or social engineering attacks.

There aren't any published security advisories