From 86821863d4ba8fe7d5e54ecb0cde67ef6be922fd Mon Sep 17 00:00:00 2001 From: April M <36110273+aimurphy@users.noreply.github.com> Date: Thu, 18 Dec 2025 15:44:11 -0800 Subject: [PATCH] create initial SECURITY.md --- SECURITY.md | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..36041483 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,64 @@ +# OpenRAG security policy and responsible disclosure + +## Security policy + +This security policy applies to all public projects under the langflow-ai organization on GitHub. We prioritize security and continuously work to safeguard our systems. However, vulnerabilities can still exist. If you identify a security issue, please report it to us so we can address it promptly. + +### Security and bug fix versions + +- Fixes are released either as part of the next minor version (e.g., 1.3.0 → 1.4.0) or as an on-demand patch version (e.g., 1.3.0 → 1.3.1) +- Security fixes are given priority and might be enough to cause a new version to be released + +## Report a vulnerability + +We encourage responsible disclosure of security vulnerabilities. If you find or suspect a security issue, please discreetly report it to us so we can address it promptly: + +### Submit a report + +Go to the [OpenRAG Security page](https://github.com/langflow-ai/openrag/security), and then click **Report a vulnerability** to start a private conversation between you and the repository's maintainers. + +Provide as many specific details as possible to help us reproduce and fix the issue quickly, including the following: + +- Steps to reproduce the issue +- Potential impact or concerns +- Any suggested fixes + +Your report is kept confidential, and these details aren't be shared without your consent + +### Response timeline + +We will acknowledge your report within 5 business days. + +We will provide an estimated resolution timeline. + +We will keep you updated on our progress. + +### Disclosure guidelines + +- Don't publicly disclose vulnerabilities until we have assessed, resolved, and notified affected users. +- If you plan to present your research (e.g., at a conference or in a blog), share a draft with us at least 30 days in advance for review. +- Disclosures must not include the following: + - Data from any OpenRAG customer projects + - OpenRAG user/customer information + - Details about OpenRAG employees, contractors, or partners + +We appreciate your efforts in helping us maintain a secure platform, and we look forward to working together to resolve any issues responsibly. + +## Known Vulnerabilities + +The following known vulnerabilities are for the OpenRAG codebase. + +This list doesn't include vulnerabilities within OpenRAG dependencies like OpenSearch and Langflow. +For Langflow vulnerabilities, see the [Langflow SECURITY.md](https://github.com/langflow-ai/langflow/blob/main/SECURITY.md). + +There are no known vulnerabilities exclusive to the OpenRAG application at this time. + +## Security Configuration Guidelines + +### Start the Langflow server with authentication enabled + +It is recommended that you set a Langflow password (`LANGFLOW_SUPERUSER_PASSWORD`) so the Langflow server starts with authentication enabled and the `langflow superuser` command disabled. + +You can set this password when you install OpenRAG, or you can [edit the OpenRAG `.env` file and redeploy the OpenRAG containers](https://docs.openr.ag/reference/configuration#set-environment-variables). + +For more information, see [OpenRAG's Langflow settings reference](https://docs.openr.ag/reference/configuration#langflow-settings). \ No newline at end of file