Security is a core principle of Butter and we apply security patches across the project. As Butter is still pre-1.0, we strongly recommend staying on the latest release to receive all security updates.
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | Best-effort |
Please do not open a public issue for security vulnerabilities.
Use GitHub Private Vulnerability Reporting to submit a report. This keeps the details confidential until a fix is available.
- Description of the vulnerability and its impact.
- Steps to reproduce or a proof-of-concept.
- Affected version(s) and component (e.g., proxy engine, a provider adapter, the WASM plugin host, application-key store).
- Suggested fix, if you have one.
- Acknowledgement within 48 hours.
- Status update within 7 days with an assessment and expected timeline.
- A coordinated disclosure after the fix is released. Credit is given unless you prefer to remain anonymous.
Butter is an AI proxy gateway. Its security controls focus on credential handling, tenant isolation, and untrusted plugin code.
- Vended
btr_-prefixed tokens with per-key usage tracking and an optionalrequire_keyenforcement mode. - Full lifecycle: revoke, rotate, expiry (TTL), and hard purge.
- Per-key scopes (
allowed_models/allowed_providers) enforced in the engine — denied model or provider returns403. - Per-key rate limiting (priority: app-key > IP > global).
- A structured audit log records every lifecycle event.
- Provider API keys are supplied via config with
${ENV_VAR}substitution — no secrets are committed to the repository. - Per-provider
credential_mode:stored(default) — the gateway injects its own managed keys.passthrough— the client's auth header is forwarded upstream and the gateway never stores the credential.
- AWS Bedrock authenticates with SigV4 (IAM), not static API keys.
- External plugins run as WebAssembly modules via the Extism/wazero host (pure Go). WASM modules are memory-isolated from the host and only reach capabilities the host explicitly grants.
- A built-in prompt-injection-guard WASM plugin scans chat messages for known injection patterns (block / log / tag modes).
- Release binaries are signed with cosign
(keyless OIDC); the checksums file carries a
.bundlesignature. - Docker images are signed by immutable digest and carry SLSA build provenance attestations.
- SBOMs (syft) are generated for every release.
- Renovate keeps Go modules, Docker base images, and GitHub Actions up to date.
- All third-party GitHub Actions are pinned to full commit SHAs.
- gosec (SAST) — results uploaded to the GitHub Security tab via SARIF.
- betterleaks — secret detection on push and on a weekly schedule.
- Grype (Anchore) — dependency/filesystem scanning, plus container image scanning of the published distroless image (by digest, before signing).