If you discover a security vulnerability in GraphRAG SDK, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please use one of the following methods:

1. GitHub Security Advisories: Use the Report a vulnerability feature on GitHub (preferred).
2. Email: Send details to security@falkordb.com.

• A description of the vulnerability
• Steps to reproduce the issue
• The potential impact
• Any suggested fixes (optional)

• Acknowledgment: We will acknowledge your report within 48 hours.
• Assessment: We will assess the severity and impact within 5 business days.
• Fix: Critical vulnerabilities will be patched as quickly as possible.
• Disclosure: We will coordinate disclosure timing with you.

This security policy covers the GraphRAG SDK Python package (graphrag-sdk). It does not cover:

• FalkorDB server (report to FalkorDB)
• Third-party LLM providers (OpenAI, Anthropic, Cohere, etc.)
• Dependencies (report to the respective upstream projects)

When using GraphRAG SDK:

• Never commit API keys: Use environment variables or a .env file (see .env.example).
• Use network isolation: Run FalkorDB behind a firewall or private network in production.
• Enable authentication: Configure FalkorDB with username/password via ConnectionConfig.
• Review Cypher queries: The SDK applies label escaping and blocks write operations in generated Cypher, but this is not comprehensive injection prevention. Review any custom queries you add.