lexrag / SECURITY.md
GautamKishore's picture
Upload folder using huggingface_hub
18e58fa verified
|
Raw
History Blame Contribute Delete
1.79 kB

Security Policy

Supported Versions

Version Supported
>= 3.3 :white_check_mark:
< 3.3 :x:

Reporting a Vulnerability

LexRAG is a legal research tool designed for professional use. Security is a top priority.

Please do not report security vulnerabilities through public GitHub issues.

Instead, report them directly to:

What to include

  • Type of vulnerability
  • Steps to reproduce
  • Affected versions
  • Potential impact
  • Suggested fix (if any)

What to expect

  • Acknowledgment within 48 hours
  • Status update within 5 business days
  • Fix timeline communicated within 10 business days

Best Practices for Deployment

  1. API Keys: Never commit .env to version control. Use environment variables or a secrets manager.
  2. Network: Run the server behind a reverse proxy (nginx, Caddy) with TLS in production.
  3. Authentication: Add API key authentication for production deployments (see LEXRAG_API_KEY).
  4. Database: Regularly backup data/lexrag.db and qdrant_storage/.
  5. Updates: Keep dependencies updated: pip install --upgrade -r requirements.txt

Hallucination & Accuracy Disclaimer

LexRAG uses Retrieval-Augmented Generation (RAG) to ground answers in legal documents. However:

  • AI models may still produce inaccurate or incomplete responses
  • Always verify AI-generated legal analysis against primary sources
  • LexRAG is a research assistance tool, not a substitute for qualified legal counsel

Responsible Disclosure

We believe in responsible disclosure. If you discover a vulnerability, please give us a reasonable time to fix it before public disclosure.