From 86821863d4ba8fe7d5e54ecb0cde67ef6be922fd Mon Sep 17 00:00:00 2001 From: April M <36110273+aimurphy@users.noreply.github.com> Date: Thu, 18 Dec 2025 15:44:11 -0800 Subject: [PATCH 1/3] create initial SECURITY.md --- SECURITY.md | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..36041483 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,64 @@ +# OpenRAG security policy and responsible disclosure + +## Security policy + +This security policy applies to all public projects under the langflow-ai organization on GitHub. We prioritize security and continuously work to safeguard our systems. However, vulnerabilities can still exist. If you identify a security issue, please report it to us so we can address it promptly. + +### Security and bug fix versions + +- Fixes are released either as part of the next minor version (e.g., 1.3.0 → 1.4.0) or as an on-demand patch version (e.g., 1.3.0 → 1.3.1) +- Security fixes are given priority and might be enough to cause a new version to be released + +## Report a vulnerability + +We encourage responsible disclosure of security vulnerabilities. If you find or suspect a security issue, please discreetly report it to us so we can address it promptly: + +### Submit a report + +Go to the [OpenRAG Security page](https://github.com/langflow-ai/openrag/security), and then click **Report a vulnerability** to start a private conversation between you and the repository's maintainers. + +Provide as many specific details as possible to help us reproduce and fix the issue quickly, including the following: + +- Steps to reproduce the issue +- Potential impact or concerns +- Any suggested fixes + +Your report is kept confidential, and these details aren't be shared without your consent + +### Response timeline + +We will acknowledge your report within 5 business days. + +We will provide an estimated resolution timeline. + +We will keep you updated on our progress. + +### Disclosure guidelines + +- Don't publicly disclose vulnerabilities until we have assessed, resolved, and notified affected users. +- If you plan to present your research (e.g., at a conference or in a blog), share a draft with us at least 30 days in advance for review. +- Disclosures must not include the following: + - Data from any OpenRAG customer projects + - OpenRAG user/customer information + - Details about OpenRAG employees, contractors, or partners + +We appreciate your efforts in helping us maintain a secure platform, and we look forward to working together to resolve any issues responsibly. + +## Known Vulnerabilities + +The following known vulnerabilities are for the OpenRAG codebase. + +This list doesn't include vulnerabilities within OpenRAG dependencies like OpenSearch and Langflow. +For Langflow vulnerabilities, see the [Langflow SECURITY.md](https://github.com/langflow-ai/langflow/blob/main/SECURITY.md). + +There are no known vulnerabilities exclusive to the OpenRAG application at this time. + +## Security Configuration Guidelines + +### Start the Langflow server with authentication enabled + +It is recommended that you set a Langflow password (`LANGFLOW_SUPERUSER_PASSWORD`) so the Langflow server starts with authentication enabled and the `langflow superuser` command disabled. + +You can set this password when you install OpenRAG, or you can [edit the OpenRAG `.env` file and redeploy the OpenRAG containers](https://docs.openr.ag/reference/configuration#set-environment-variables). + +For more information, see [OpenRAG's Langflow settings reference](https://docs.openr.ag/reference/configuration#langflow-settings). \ No newline at end of file From 06ae466a228c16623c38771fc48fa356f0074d56 Mon Sep 17 00:00:00 2001 From: "April I. Murphy" <36110273+aimurphy@users.noreply.github.com> Date: Fri, 19 Dec 2025 13:26:25 -0800 Subject: [PATCH 2/3] Apply suggestions from code review --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 36041483..11efea68 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -44,7 +44,7 @@ We will keep you updated on our progress. We appreciate your efforts in helping us maintain a secure platform, and we look forward to working together to resolve any issues responsibly. -## Known Vulnerabilities +## Known vulnerabilities The following known vulnerabilities are for the OpenRAG codebase. @@ -53,7 +53,7 @@ For Langflow vulnerabilities, see the [Langflow SECURITY.md](https://github.com/ There are no known vulnerabilities exclusive to the OpenRAG application at this time. -## Security Configuration Guidelines +## Security configuration guidelines ### Start the Langflow server with authentication enabled From 447e944687dabfcf28f95ca537d73a2185d2c63b Mon Sep 17 00:00:00 2001 From: "April I. Murphy" <36110273+aimurphy@users.noreply.github.com> Date: Fri, 19 Dec 2025 14:27:58 -0800 Subject: [PATCH 3/3] Update SECURITY.md --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 11efea68..13f1a761 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -23,7 +23,7 @@ Provide as many specific details as possible to help us reproduce and fix the is - Potential impact or concerns - Any suggested fixes -Your report is kept confidential, and these details aren't be shared without your consent +Your report is kept confidential, and these details aren't shared without your consent. ### Response timeline