| # Security Policy |
|
|
| ## Supported Versions |
|
|
| | Version | Supported | |
| | ------- | ------------------ | |
| | >= 3.3 | :white_check_mark: | |
| | < 3.3 | :x: | |
|
|
| ## Reporting a Vulnerability |
|
|
| LexRAG is a legal research tool designed for professional use. Security is a top priority. |
|
|
| **Please do not report security vulnerabilities through public GitHub issues.** |
|
|
| Instead, report them directly to: |
|
|
| - **Email**: security@eulogik.com |
| - **PGP Key**: Available on request |
|
|
| ### What to include |
|
|
| - Type of vulnerability |
| - Steps to reproduce |
| - Affected versions |
| - Potential impact |
| - Suggested fix (if any) |
|
|
| ### What to expect |
|
|
| - **Acknowledgment** within 48 hours |
| - **Status update** within 5 business days |
| - **Fix timeline** communicated within 10 business days |
|
|
| ## Best Practices for Deployment |
|
|
| 1. **API Keys**: Never commit `.env` to version control. Use environment variables or a secrets manager. |
| 2. **Network**: Run the server behind a reverse proxy (nginx, Caddy) with TLS in production. |
| 3. **Authentication**: Add API key authentication for production deployments (see `LEXRAG_API_KEY`). |
| 4. **Database**: Regularly backup `data/lexrag.db` and `qdrant_storage/`. |
| 5. **Updates**: Keep dependencies updated: `pip install --upgrade -r requirements.txt` |
|
|
| ## Hallucination & Accuracy Disclaimer |
|
|
| LexRAG uses Retrieval-Augmented Generation (RAG) to ground answers in legal documents. However: |
| - AI models may still produce inaccurate or incomplete responses |
| - Always verify AI-generated legal analysis against primary sources |
| - LexRAG is a research assistance tool, not a substitute for qualified legal counsel |
|
|
| ## Responsible Disclosure |
|
|
| We believe in responsible disclosure. If you discover a vulnerability, please give us a reasonable time to fix it before public disclosure. |
|
|