Security Policy
Supported Versions
| Version | Supported |
|---|---|
| >= 3.3 | :white_check_mark: |
| < 3.3 | :x: |
Reporting a Vulnerability
LexRAG is a legal research tool designed for professional use. Security is a top priority.
Please do not report security vulnerabilities through public GitHub issues.
Instead, report them directly to:
- Email: security@eulogik.com
- PGP Key: Available on request
What to include
- Type of vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Suggested fix (if any)
What to expect
- Acknowledgment within 48 hours
- Status update within 5 business days
- Fix timeline communicated within 10 business days
Best Practices for Deployment
- API Keys: Never commit
.envto version control. Use environment variables or a secrets manager. - Network: Run the server behind a reverse proxy (nginx, Caddy) with TLS in production.
- Authentication: Add API key authentication for production deployments (see
LEXRAG_API_KEY). - Database: Regularly backup
data/lexrag.dbandqdrant_storage/. - Updates: Keep dependencies updated:
pip install --upgrade -r requirements.txt
Hallucination & Accuracy Disclaimer
LexRAG uses Retrieval-Augmented Generation (RAG) to ground answers in legal documents. However:
- AI models may still produce inaccurate or incomplete responses
- Always verify AI-generated legal analysis against primary sources
- LexRAG is a research assistance tool, not a substitute for qualified legal counsel
Responsible Disclosure
We believe in responsible disclosure. If you discover a vulnerability, please give us a reasonable time to fix it before public disclosure.