We release patches for security vulnerabilities in the following versions:

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

1. Go to the Security tab
2. Click "Report a vulnerability"
3. Fill out the form with details

For non-sensitive security questions or general security discussions, you may open a GitHub issue. Do not include sensitive vulnerability details in public issues.

When reporting via Security Advisories, include the following information:

• Type of vulnerability
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 5 business days
• Regular Updates: Every 7 days until resolved
• Public Disclosure: After patch is released (coordinated disclosure)

• Authentication: JWT-based authentication
• Authorization: OpenFGA fine-grained access control
• Secrets Management: Infisical integration
• Container Security: Non-root user, minimal base image
• Network Policies: Kubernetes NetworkPolicies
• TLS/SSL: HTTPS enforcement for all endpoints
• Rate Limiting: Kong API Gateway integration
• Audit Logging: OpenTelemetry tracing

We use the following automated tools:

• CodeQL: Static analysis for code vulnerabilities
• Trivy: Container image scanning
• Bandit: Python security linting
• Safety/pip-audit: Dependency vulnerability scanning
• TruffleHog: Secrets scanning
• Dependabot: Automated dependency updates

Scans run:

• On every PR
• Daily scheduled scans
• Before releases

# ✅ DO: Use Infisical or environment variables
export ANTHROPIC_API_KEY="sk-ant-..."

# ❌ DON'T: Hardcode secrets in code
api_key = "sk-ant-..."  # Never do this!

# ✅ DO: Use strong secrets (32+ characters)
JWT_SECRET_KEY=$(openssl rand -base64 32)

# ❌ DON't: Use weak or default secrets
JWT_SECRET_KEY="secret"  # Never in production!

# ✅ DO: Use specific version tags
docker pull ghcr.io/vishnu2kmohan/mcp-server-langgraph:v1.2.3

# ❌ DON'T: Use 'latest' in production
docker pull ghcr.io/vishnu2kmohan/mcp-server-langgraph:latest

# ✅ DO: Use NetworkPolicies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: langgraph-agent-netpol
spec:
  podSelector:
    matchLabels:
      app: langgraph-agent
  policyTypes:
  - Ingress
  - Egress

# 1. Run security scan
make security-check

# 2. Check for secrets
git diff | grep -i "api.key\|secret\|password\|token"

# 3. Scan dependencies
safety check
pip-audit

• No hardcoded secrets or credentials
• Input validation on all user inputs
• SQL injection prevention (parameterized queries)
• XSS prevention (input sanitization)
• CSRF protection enabled
• Authentication/authorization checked
• Error messages don't leak sensitive info
• Dependencies are up to date
• Security headers configured

OpenFGA must be properly configured with:

• PostgreSQL backend (not in-memory)
• TLS/SSL enabled
• Network isolation
• Regular backups

When using Infisical:

• Use Universal Auth with rotation
• Enable MFA for admin access
• Use separate projects per environment
• Enable audit logging

• Tokens expire after 1 hour by default
• Refresh tokens should be implemented for production
• Secret keys must be rotated regularly
• Use RS256 for distributed systems

Configure Kong rate limiting:

• Basic tier: 60 requests/minute
• Premium tier: 300 requests/minute
• Enterprise tier: 1000 requests/minute

1. Day 0: Vulnerability reported
2. Day 2: Acknowledged by security team
3. Day 7: Initial assessment and severity rating
4. Day 14-30: Patch developed and tested
5. Day 30-60: Patch released to supported versions
6. Day 60-90: Public disclosure (if applicable)

Timelines may vary based on severity and complexity.

• GitHub Security Advisories: Primary notification method
• Release Notes: Security fixes highlighted
• Email: For critical vulnerabilities (if subscribed)
• Slack/Discord: Community announcements

# Watch repository for security advisories
# GitHub > Watch > Custom > Security alerts

# Subscribe to releases
# GitHub > Watch > Custom > Releases

# Enable Dependabot alerts
# Settings > Security & analysis > Dependabot alerts

We recognize and thank security researchers who help improve our security:

• Security Advisories: GitHub Security Advisories (preferred)
• Security Team: @vishnu2kmohan/security-team
• GitHub Issues: For non-sensitive security discussions only

• OWASP Top 10
• CWE Top 25
• NIST Cybersecurity Framework
• Kubernetes Security Best Practices

Last Updated: 2025-01-10