SECURITY.md

# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 0.1.x   | :white_check_mark: |

## Reporting a Vulnerability

We take security seriously. If you discover a security vulnerability in DeepBoner, please report it responsibly.

### How to Report

1. **DO NOT** open a public GitHub issue for security vulnerabilities
2. Email security concerns to the repository maintainers via GitHub's private vulnerability reporting
3. Or use GitHub's Security Advisory feature: **Security** tab > **Report a vulnerability**

### What to Include

- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

### Response Timeline

- **Acknowledgment**: Within 48 hours
- **Initial assessment**: Within 7 days
- **Fix timeline**: Depends on severity
  - Critical: Within 48 hours
  - High: Within 7 days
  - Medium: Within 30 days
  - Low: Next release cycle

## Security Measures

### API Key Handling

- API keys are loaded from environment variables only
- Keys are never logged or exposed in error messages
- `.env` files are gitignored
- No hardcoded credentials in source code

### Dependency Security

- Regular dependency audits via `pip-audit`
- Security scanning with `bandit` in CI
- Pinned dependencies for reproducibility
- Known CVE fixes:
  - `mcp>=1.23.0` - Fixes GHSA-9h52-p55h-vw2f
  - `langgraph-checkpoint-sqlite>=3.0.0` - Fixes GHSA-wwqv-p2pp-99h5
  - `urllib3>=2.6.0` - Fixes GHSA-gm62-xv2j-4w53 and GHSA-2xpw-w6gg-jr37

### External API Security

- HTTPS enforced for all external API calls
- Rate limiting prevents abuse
- No sensitive data sent to external services (only search queries)

### Input Validation

- Pydantic models for strict input validation
- Query sanitization before external API calls
- Length limits on user inputs

## Security Best Practices for Users

### API Keys

1. Never commit `.env` files
2. Use environment variables in production
3. Rotate keys periodically
4. Use minimal permissions (read-only where possible)

### Deployment

1. Use the provided Docker image for consistency
2. Keep dependencies updated
3. Monitor for security advisories
4. Use HTTPS in production

### HuggingFace Spaces

1. Use Secrets (not public variables) for API keys
2. The HF_TOKEN is used server-side only
3. Users don't need their own tokens

## Known Security Considerations

### Third-Party APIs

DeepBoner queries external biomedical databases:
- PubMed (NCBI)
- ClinicalTrials.gov
- Europe PMC
- OpenAlex

These are trusted public APIs, but:
- Query content is visible to these services
- Rate limits apply
- Availability depends on upstream services

### LLM Providers

- OpenAI and HuggingFace process your queries
- Review their privacy policies if handling sensitive research
- Consider on-premise alternatives for sensitive use cases

### Local Data

- ChromaDB stores embeddings locally
- Default path: `./chroma_db/`
- Contains processed search results (not raw user data)
- Secure or delete when decommissioning

## Security Updates

Security updates will be released as patch versions (e.g., 0.1.1) and announced via:
- GitHub Security Advisories
- Release notes

---

*"Security is rock solid. We take evidence-based security very seriously."* 🔐