create initial SECURITY.md
This commit is contained in:
April M
parent
a460fd05fd
commit
86821863d4
1 changed files with 64 additions and 0 deletions
64
SECURITY.md
Normal file
64
SECURITY.md
Normal file
|
|
@ -0,0 +1,64 @@
|
|||
# OpenRAG security policy and responsible disclosure
|
||||
|
||||
## Security policy
|
||||
|
||||
This security policy applies to all public projects under the langflow-ai organization on GitHub. We prioritize security and continuously work to safeguard our systems. However, vulnerabilities can still exist. If you identify a security issue, please report it to us so we can address it promptly.
|
||||
|
||||
### Security and bug fix versions
|
||||
|
||||
- Fixes are released either as part of the next minor version (e.g., 1.3.0 → 1.4.0) or as an on-demand patch version (e.g., 1.3.0 → 1.3.1)
|
||||
- Security fixes are given priority and might be enough to cause a new version to be released
|
||||
|
||||
## Report a vulnerability
|
||||
|
||||
We encourage responsible disclosure of security vulnerabilities. If you find or suspect a security issue, please discreetly report it to us so we can address it promptly:
|
||||
|
||||
### Submit a report
|
||||
|
||||
Go to the [OpenRAG Security page](https://github.com/langflow-ai/openrag/security), and then click **Report a vulnerability** to start a private conversation between you and the repository's maintainers.
|
||||
|
||||
Provide as many specific details as possible to help us reproduce and fix the issue quickly, including the following:
|
||||
|
||||
- Steps to reproduce the issue
|
||||
- Potential impact or concerns
|
||||
- Any suggested fixes
|
||||
|
||||
Your report is kept confidential, and these details aren't be shared without your consent
|
||||
|
||||
### Response timeline
|
||||
|
||||
We will acknowledge your report within 5 business days.
|
||||
|
||||
We will provide an estimated resolution timeline.
|
||||
|
||||
We will keep you updated on our progress.
|
||||
|
||||
### Disclosure guidelines
|
||||
|
||||
- Don't publicly disclose vulnerabilities until we have assessed, resolved, and notified affected users.
|
||||
- If you plan to present your research (e.g., at a conference or in a blog), share a draft with us at least 30 days in advance for review.
|
||||
- Disclosures must not include the following:
|
||||
- Data from any OpenRAG customer projects
|
||||
- OpenRAG user/customer information
|
||||
- Details about OpenRAG employees, contractors, or partners
|
||||
|
||||
We appreciate your efforts in helping us maintain a secure platform, and we look forward to working together to resolve any issues responsibly.
|
||||
|
||||
## Known Vulnerabilities
|
||||
|
||||
The following known vulnerabilities are for the OpenRAG codebase.
|
||||
|
||||
This list doesn't include vulnerabilities within OpenRAG dependencies like OpenSearch and Langflow.
|
||||
For Langflow vulnerabilities, see the [Langflow SECURITY.md](https://github.com/langflow-ai/langflow/blob/main/SECURITY.md).
|
||||
|
||||
There are no known vulnerabilities exclusive to the OpenRAG application at this time.
|
||||
|
||||
## Security Configuration Guidelines
|
||||
|
||||
### Start the Langflow server with authentication enabled
|
||||
|
||||
It is recommended that you set a Langflow password (`LANGFLOW_SUPERUSER_PASSWORD`) so the Langflow server starts with authentication enabled and the `langflow superuser` command disabled.
|
||||
|
||||
You can set this password when you install OpenRAG, or you can [edit the OpenRAG `.env` file and redeploy the OpenRAG containers](https://docs.openr.ag/reference/configuration#set-environment-variables).
|
||||
|
||||
For more information, see [OpenRAG's Langflow settings reference](https://docs.openr.ag/reference/configuration#langflow-settings).
|
||||
Loading…
Add table
Reference in a new issue