SecGraph-AI is a security tool — we take vulnerabilities seriously.

Please do not report security vulnerabilities via public GitHub issues. This gives time for a fix to be prepared before the vulnerability is publicly known.

Instead, please report vulnerabilities by emailing the maintainer directly. You can find contact details on the GitHub profile associated with this repository.

Please include in your report:

• A description of the vulnerability and its potential impact
• Steps to reproduce, or a proof-of-concept if available
• The version or commit where you observed the issue
• Any suggested mitigations if you have them

You should receive an acknowledgement within 48 hours and a more detailed response within 7 days outlining next steps.

The following are in scope for vulnerability reports:

• Security issues in the SecGraph-AI Python codebase (src/)
• Issues in the Streamlit UI that could expose sensitive data
• Insecure defaults in configuration that could expose the Neo4j database
• Issues in the Docker Compose setup that could expose services unintentionally

The following are out of scope:

• Vulnerabilities in third-party dependencies (Neo4j, Ollama, Streamlit, vis-network) — please report these upstream
• Issues that require physical access to the machine running SecGraph-AI
• Issues in LLM model outputs — by design, outputs should be reviewed by a security professional before acting on them

We follow a coordinated disclosure process:

1. You report the vulnerability privately
2. We confirm receipt and assess severity within 7 days
3. We develop and test a fix
4. We release the fix and credit you (unless you prefer to remain anonymous)
5. You may publish details after the fix is released

Thank you for helping keep SecGraph-AI and its users safe.