Use this section to tell people about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security seriously. If you discover a security vulnerability, please follow these guidelines:
Do not open public issues for security vulnerabilities.
Instead, please report it privately:
- Email us at [INSERT SECURITY EMAIL]
- Include a description of the vulnerability
- Provide steps to reproduce the issue
- Describe the potential impact
- Suggest a fix (if known)
We aim to acknowledge reports within 48 hours and will prioritize fixing critical vulnerabilities.
- Never commit AWS credentials to version control.
- Use IAM roles and policies with least privilege.
- Rotate access keys regularly.
- Use AWS Secrets Manager for production environments.
- Store API keys (e.g., Tavily, LangChain) in
.envfiles. - Ensure
.envis added to.gitignore. - Use environment-specific keys where possible.
- Keep dependencies updated to their latest secure versions.
- We periodically audit dependencies for known vulnerabilities.
- Users are encouraged to run
pip-auditor similar tools.
In the event of a security incident:
- We will investigate the scope and impact.
- We will release a patch as soon as possible.
- We will disclose the vulnerability and fix to the community after a responsible disclosure period.