We actively support the following versions with security updates:

We take security vulnerabilities seriously. If you discover a security vulnerability in the Surrogate Model Platform, please help us protect our users by following responsible disclosure practices.

For security vulnerabilities, please DO NOT create a public GitHub issue.

Instead, please:

1. Email directly: Send details to durai@infinidatum.net
2. Subject line: "Security Vulnerability - Surrogate Model Platform"
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact assessment
   • Any suggested fixes (if available)

• Acknowledgment: We'll acknowledge receipt within 24 hours
• Initial Assessment: We'll provide an initial assessment within 72 hours
• Updates: We'll keep you informed of our progress
• Resolution: We aim to resolve critical vulnerabilities within 7 days
• Disclosure: We'll coordinate public disclosure after the fix is available

This security policy applies to:

• ✅ Core Platform: Backend API and ML algorithms
• ✅ Authentication: JWT and user management systems
• ✅ Database: Data access and storage security
• ✅ API Endpoints: All REST API security
• ✅ Docker Images: Container security
• ✅ Dependencies: Third-party package vulnerabilities

The following are typically out of scope:

• ❌ Social engineering attacks
• ❌ Physical security issues
• ❌ Denial of Service (DoS) attacks
• ❌ Issues in third-party services (GitHub, Docker Hub, etc.)
• ❌ Vulnerabilities requiring admin/root access

When deploying the Surrogate Model Platform:

1. Authentication:

   • Use strong, unique passwords
   • Enable two-factor authentication where available
   • Regularly rotate API keys and secrets

2. Environment Security:

   • Keep all dependencies updated
   • Use secure communication (HTTPS/TLS)
   • Implement proper firewall rules
   • Use secure database configurations

3. Data Protection:

   • Encrypt sensitive data at rest
   • Use secure communication channels
   • Implement proper backup strategies
   • Follow data privacy regulations (GDPR, etc.)

4. Access Control:

   • Follow principle of least privilege
   • Regularly audit user permissions
   • Use role-based access control (RBAC)
   • Monitor access logs

When contributing to the project:

1. Code Security:

   • Follow secure coding practices
   • Validate all inputs
   • Use parameterized queries
   • Avoid hardcoded secrets

2. Dependencies:

   • Keep dependencies updated
   • Audit packages for vulnerabilities
   • Use package lock files
   • Avoid unnecessary dependencies

3. Testing:

   • Include security test cases
   • Test authentication and authorization
   • Validate input sanitization
   • Test error handling

1. Authentication: Uses JWT tokens with configurable expiration
2. Authorization: Role-based access control implemented
3. Input Validation: API endpoints include input validation
4. SQL Injection: Protected via SQLAlchemy ORM
5. CORS: Configurable CORS settings
6. Rate Limiting: Recommended for production deployments

1. SSL/TLS: Always use HTTPS in production
2. Database Security: Use encrypted connections and credentials
3. Secret Management: Use proper secret management systems
4. Monitoring: Implement security monitoring and alerting
5. Updates: Keep all components updated regularly

For commercial deployments requiring enhanced security:

• Enterprise Support: Contact durai@infinidatum.net
• Security Audits: Available for commercial customers
• Custom Security Features: Can be developed under commercial agreements
• Compliance: Support for industry-specific compliance requirements

• All default passwords changed
• SSL/TLS certificates configured
• Database access properly secured
• API rate limiting configured
• Logging and monitoring enabled
• Backup and recovery procedures tested
• Security scanning completed
• Access controls validated

• Dependencies updated monthly
• Security patches applied promptly
• Access logs reviewed regularly
• User permissions audited quarterly
• Backup integrity verified
• Incident response plan updated
• Security training completed

We provide security updates through:

1. GitHub Releases: Security patches in new versions
2. Security Advisories: GitHub security advisories for critical issues
3. Email Notifications: For commercial customers
4. Documentation Updates: Security best practices updates

For security-related inquiries:

• Security Issues: durai@infinidatum.net
• General Security Questions: Create a GitHub Discussion
• Commercial Security: durai@infinidatum.net

We appreciate security researchers who help keep our platform secure. Contributors who report valid security vulnerabilities will be:

• Acknowledged in our security hall of fame (with permission)
• Credited in release notes for security fixes
• Considered for bug bounty rewards (commercial deployments)

• OWASP Top 10
• NIST Cybersecurity Framework
• FastAPI Security Documentation
• Docker Security Best Practices

Remember: Security is everyone's responsibility. When in doubt, please reach out to us.

Last updated: September 2024