Currently, we are in early development. Security updates will be provided for:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
We take the security of EEG-RAG seriously. If you discover a security vulnerability, please follow these steps:
Please do not create a public GitHub issue for security vulnerabilities.
Report security vulnerabilities through GitHub's Security Advisory feature:
- Navigate to the repository's Security tab
- Click "Report a vulnerability"
- Fill out the vulnerability report form
Alternatively, you can email security concerns to the project maintainers.
Include as much information as possible:
- Type of vulnerability
- Affected component/module
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 1-7 days
- High: 7-14 days
- Medium: 14-30 days
- Low: Best effort
- API Keys: Never commit API keys or secrets to version control
- Environment Variables: Use
.envfiles (not committed to git) - Docker Security: Don't run containers as root
- Dependencies: Keep dependencies updated
- Access Control: Limit access to production systems
- Code Review: All PRs must be reviewed before merging
- Dependency Scanning: Use automated tools to check dependencies
- Input Validation: Validate all user inputs
- Error Handling: Don't expose sensitive information in errors
- Logging: Don't log sensitive data (API keys, passwords, PII)
- EEG-RAG processes scientific literature, which may contain sensitive information
- Ensure compliance with data protection regulations when using with proprietary data
- Be cautious when sharing query logs or cached results
- OpenAI API keys should be stored securely in environment variables
- Implement rate limiting to prevent abuse
- Use HTTPS for all external communications
- Virtual environments should be created inside Docker containers, not in the root directory
- Use official base images from trusted sources
- Regularly update container images
- Don't expose unnecessary ports
- Use authentication for database connections
- Don't use default passwords in production
- Restrict network access to database ports
- Encrypt data in transit
If we receive a security vulnerability report, we will:
- Confirm receipt within 48 hours
- Investigate and validate the vulnerability
- Develop and test a fix
- Release a security patch
- Credit the reporter (if desired)
- Publish a security advisory
Security updates will be announced through:
- GitHub Security Advisories
- Release notes
- CHANGELOG.md
Subscribe to repository notifications to stay informed.
We kindly ask security researchers to:
- Give us reasonable time to fix vulnerabilities before public disclosure
- Make a good faith effort to avoid privacy violations, data destruction, and service interruption
- Not exploit vulnerabilities beyond what's necessary to demonstrate the issue
We commit to:
- Respond promptly to vulnerability reports
- Keep reporters informed of progress
- Credit researchers who report vulnerabilities responsibly
- Not take legal action against researchers who follow this policy
If you have questions about this security policy, please open a discussion on GitHub or contact the maintainers.
Thank you for helping keep EEG-RAG and our users safe!