Hugging Face's logo

Spaces:
VibecoderMcSwaggins
/
DeepBoner
Paused

App Files Community
DeepBoner / SECURITY.md
Claude
docs: Add comprehensive documentation structure
59ce7b1 unverified
preview code
|
raw
history blame contribute delete
3.28 kB

A newer version of the Gradio SDK is available: 6.1.0

Upgrade

Security Policy

Supported Versions

Version Supported
0.1.x :white_check_mark:

Reporting a Vulnerability

We take security seriously. If you discover a security vulnerability in DeepBoner, please report it responsibly.

How to Report

  1. DO NOT open a public GitHub issue for security vulnerabilities
  2. Email security concerns to the repository maintainers via GitHub's private vulnerability reporting
  3. Or use GitHub's Security Advisory feature: Security tab > Report a vulnerability

What to Include

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

Response Timeline

  • Acknowledgment: Within 48 hours
  • Initial assessment: Within 7 days
  • Fix timeline: Depends on severity
    • Critical: Within 48 hours
    • High: Within 7 days
    • Medium: Within 30 days
    • Low: Next release cycle

Security Measures

API Key Handling

  • API keys are loaded from environment variables only
  • Keys are never logged or exposed in error messages
  • .env files are gitignored
  • No hardcoded credentials in source code

Dependency Security

  • Regular dependency audits via pip-audit
  • Security scanning with bandit in CI
  • Pinned dependencies for reproducibility
  • Known CVE fixes:
    • mcp>=1.23.0 - Fixes GHSA-9h52-p55h-vw2f
    • langgraph-checkpoint-sqlite>=3.0.0 - Fixes GHSA-wwqv-p2pp-99h5
    • urllib3>=2.6.0 - Fixes GHSA-gm62-xv2j-4w53 and GHSA-2xpw-w6gg-jr37

External API Security

  • HTTPS enforced for all external API calls
  • Rate limiting prevents abuse
  • No sensitive data sent to external services (only search queries)

Input Validation

  • Pydantic models for strict input validation
  • Query sanitization before external API calls
  • Length limits on user inputs

Security Best Practices for Users

API Keys

  1. Never commit .env files
  2. Use environment variables in production
  3. Rotate keys periodically
  4. Use minimal permissions (read-only where possible)

Deployment

  1. Use the provided Docker image for consistency
  2. Keep dependencies updated
  3. Monitor for security advisories
  4. Use HTTPS in production

HuggingFace Spaces

  1. Use Secrets (not public variables) for API keys
  2. The HF_TOKEN is used server-side only
  3. Users don't need their own tokens

Known Security Considerations

Third-Party APIs

DeepBoner queries external biomedical databases:

  • PubMed (NCBI)
  • ClinicalTrials.gov
  • Europe PMC
  • OpenAlex

These are trusted public APIs, but:

  • Query content is visible to these services
  • Rate limits apply
  • Availability depends on upstream services

LLM Providers

  • OpenAI and HuggingFace process your queries
  • Review their privacy policies if handling sensitive research
  • Consider on-premise alternatives for sensitive use cases

Local Data

  • ChromaDB stores embeddings locally
  • Default path: ./chroma_db/
  • Contains processed search results (not raw user data)
  • Secure or delete when decommissioning

Security Updates

Security updates will be released as patch versions (e.g., 0.1.1) and announced via:

  • GitHub Security Advisories
  • Release notes

"Security is rock solid. We take evidence-based security very seriously." πŸ”