gmakstutis/openrag
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #686 from langflow-ai/issue-685-docs-security-md

Browse source 
Docs: Create initial SECURITY.md
This commit is contained in:
April I. Murphy 2025-12-19 14:31:00 -08:00 committed by GitHub
commit ac80c3d1c1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 64 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
SECURITY.md Normal file
View file

@ -0,0 +1,64 @@
# OpenRAG security policy and responsible disclosure
## Security policy
This security policy applies to all public projects under the langflow-ai organization on GitHub. We prioritize security and continuously work to safeguard our systems. However, vulnerabilities can still exist. If you identify a security issue, please report it to us so we can address it promptly.
### Security and bug fix versions
- Fixes are released either as part of the next minor version (e.g., 1.3.0 → 1.4.0) or as an on-demand patch version (e.g., 1.3.0 → 1.3.1)
- Security fixes are given priority and might be enough to cause a new version to be released
## Report a vulnerability
We encourage responsible disclosure of security vulnerabilities. If you find or suspect a security issue, please discreetly report it to us so we can address it promptly:
### Submit a report
Go to the [OpenRAG Security page](https://github.com/langflow-ai/openrag/security), and then click **Report a vulnerability** to start a private conversation between you and the repository's maintainers.
Provide as many specific details as possible to help us reproduce and fix the issue quickly, including the following:
- Steps to reproduce the issue
- Potential impact or concerns
- Any suggested fixes
Your report is kept confidential, and these details aren't shared without your consent.
### Response timeline
We will acknowledge your report within 5 business days.
We will provide an estimated resolution timeline.
We will keep you updated on our progress.
### Disclosure guidelines
- Don't publicly disclose vulnerabilities until we have assessed, resolved, and notified affected users.
- If you plan to present your research (e.g., at a conference or in a blog), share a draft with us at least 30 days in advance for review.
- Disclosures must not include the following:
- Data from any OpenRAG customer projects
- OpenRAG user/customer information
- Details about OpenRAG employees, contractors, or partners
We appreciate your efforts in helping us maintain a secure platform, and we look forward to working together to resolve any issues responsibly.
## Known vulnerabilities
The following known vulnerabilities are for the OpenRAG codebase.
This list doesn't include vulnerabilities within OpenRAG dependencies like OpenSearch and Langflow.
For Langflow vulnerabilities, see the [Langflow SECURITY.md](https://github.com/langflow-ai/langflow/blob/main/SECURITY.md).
There are no known vulnerabilities exclusive to the OpenRAG application at this time.
## Security configuration guidelines
### Start the Langflow server with authentication enabled
It is recommended that you set a Langflow password (`LANGFLOW_SUPERUSER_PASSWORD`) so the Langflow server starts with authentication enabled and the `langflow superuser` command disabled.
You can set this password when you install OpenRAG, or you can [edit the OpenRAG `.env` file and redeploy the OpenRAG containers](https://docs.openr.ag/reference/configuration#set-environment-variables).
For more information, see [OpenRAG's Langflow settings reference](https://docs.openr.ag/reference/configuration#langflow-settings).