Skip to content

Security: erdkocak/PrivateRAG

Security

SECURITY.md

Security Policy

PrivateRAG v0 is unaudited software. It is not externally audited and does not provide production-grade cryptographic assurance.

Supported Security Boundary

The only supported private retrieval profile for v0 is simplepir-rs-v0-1000-1k over simplepir-lwe-v0, with security_status = supported-v0-unaudited.

That profile is supported only within this documented envelope:

  • at most 1,000 records
  • exactly 1,024-byte PIR records
  • exactly 384-dimensional finite f32 local index rows
  • fixed top_k=2
  • fixed retrieval_count=4
  • public cache <= 2.5 MiB
  • full bundle <= 3.5 MiB

Unsupported shapes are expected to fail closed. A bypass that silently accepts a shape outside this envelope is security-relevant.

The older simplepir-rs-experimental-v0 profile is compatibility/development only. The toy-development-only-v0 profile is development/test only. Neither is a supported private-retrieval profile.

Non-Claims

PrivateRAG v0 does not claim:

  • external cryptographic audit
  • production-grade cryptographic assurance
  • malicious-server security
  • compromised-client security
  • traffic-analysis resistance
  • side-channel-free retrieval
  • arbitrary-scale retrieval
  • arbitrary top_k or retrieval_count support
  • authentication, authorization, tenant isolation, TLS termination, or log controls
  • authenticated bundle provenance

Current bundles are unsigned. Checksums detect file drift after a trusted deployment obtains checksums.json; they do not authenticate the bundle producer or protect against a party that can replace both files and checksums.

Reporting Vulnerabilities

For sensitive reports, use GitHub private vulnerability reporting for this repository if it is enabled.

If private reporting is not available, open a public issue that asks for a private contact path, but do not include exploit details, private data, tokens, or unreleased vulnerability details in the public issue.

For non-sensitive bugs, documentation issues, or questions about documented limitations, a normal GitHub issue is appropriate.

Please include, when safe:

  • affected commit or version
  • affected component: bundle format, packer, server, CLI, Python SDK, adapter, benchmark tooling, or docs
  • expected behavior and observed behavior
  • whether the issue can expose query text, query embeddings, selected chunk IDs, selected internal record IDs, decoded chunk text, server-only bundle files, or unsupported profile shapes
  • a minimal reproduction that does not include private corpus data or secrets

Public Discussion Guidance

Do not post sensitive exploit details, private corpora, API keys, credentials, tokens, generated private bundles, or deployment logs in public issues.

If you are unsure whether a report is sensitive, treat it as sensitive first.

There aren't any published security advisories