| # Security Policy | |
| ## Supported Versions | |
| | Version | Supported | | |
| | ------- | ------------------ | | |
| | 0.1.x | :white_check_mark: | | |
| ## Reporting a Vulnerability | |
| We take security seriously. If you discover a security vulnerability in DeepBoner, please report it responsibly. | |
| ### How to Report | |
| 1. **DO NOT** open a public GitHub issue for security vulnerabilities | |
| 2. Email security concerns to the repository maintainers via GitHub's private vulnerability reporting | |
| 3. Or use GitHub's Security Advisory feature: **Security** tab > **Report a vulnerability** | |
| ### What to Include | |
| - Description of the vulnerability | |
| - Steps to reproduce | |
| - Potential impact | |
| - Suggested fix (if any) | |
| ### Response Timeline | |
| - **Acknowledgment**: Within 48 hours | |
| - **Initial assessment**: Within 7 days | |
| - **Fix timeline**: Depends on severity | |
| - Critical: Within 48 hours | |
| - High: Within 7 days | |
| - Medium: Within 30 days | |
| - Low: Next release cycle | |
| ## Security Measures | |
| ### API Key Handling | |
| - API keys are loaded from environment variables only | |
| - Keys are never logged or exposed in error messages | |
| - `.env` files are gitignored | |
| - No hardcoded credentials in source code | |
| ### Dependency Security | |
| - Regular dependency audits via `pip-audit` | |
| - Security scanning with `bandit` in CI | |
| - Pinned dependencies for reproducibility | |
| - Known CVE fixes: | |
| - `mcp>=1.23.0` - Fixes GHSA-9h52-p55h-vw2f | |
| - `langgraph-checkpoint-sqlite>=3.0.0` - Fixes GHSA-wwqv-p2pp-99h5 | |
| - `urllib3>=2.6.0` - Fixes GHSA-gm62-xv2j-4w53 and GHSA-2xpw-w6gg-jr37 | |
| ### External API Security | |
| - HTTPS enforced for all external API calls | |
| - Rate limiting prevents abuse | |
| - No sensitive data sent to external services (only search queries) | |
| ### Input Validation | |
| - Pydantic models for strict input validation | |
| - Query sanitization before external API calls | |
| - Length limits on user inputs | |
| ## Security Best Practices for Users | |
| ### API Keys | |
| 1. Never commit `.env` files | |
| 2. Use environment variables in production | |
| 3. Rotate keys periodically | |
| 4. Use minimal permissions (read-only where possible) | |
| ### Deployment | |
| 1. Use the provided Docker image for consistency | |
| 2. Keep dependencies updated | |
| 3. Monitor for security advisories | |
| 4. Use HTTPS in production | |
| ### HuggingFace Spaces | |
| 1. Use Secrets (not public variables) for API keys | |
| 2. The HF_TOKEN is used server-side only | |
| 3. Users don't need their own tokens | |
| ## Known Security Considerations | |
| ### Third-Party APIs | |
| DeepBoner queries external biomedical databases: | |
| - PubMed (NCBI) | |
| - ClinicalTrials.gov | |
| - Europe PMC | |
| - OpenAlex | |
| These are trusted public APIs, but: | |
| - Query content is visible to these services | |
| - Rate limits apply | |
| - Availability depends on upstream services | |
| ### LLM Providers | |
| - OpenAI and HuggingFace process your queries | |
| - Review their privacy policies if handling sensitive research | |
| - Consider on-premise alternatives for sensitive use cases | |
| ### Local Data | |
| - ChromaDB stores embeddings locally | |
| - Default path: `./chroma_db/` | |
| - Contains processed search results (not raw user data) | |
| - Secure or delete when decommissioning | |
| ## Security Updates | |
| Security updates will be released as patch versions (e.g., 0.1.1) and announced via: | |
| - GitHub Security Advisories | |
| - Release notes | |
| --- | |
| *"Security is rock solid. We take evidence-based security very seriously."* π | |