Skip to content

Security: nextframedev/ai_security_lab

Security

SECURITY.md

Security Policy

Reporting A Vulnerability

Please do not open a public GitHub issue for suspected security problems.

If GitHub private vulnerability reporting is enabled for this repository, use that channel. Otherwise, contact the maintainer privately through GitHub before publishing details.

Include:

  • a short description of the issue
  • affected files, commands, or workflows
  • steps to reproduce when possible
  • impact assessment, especially if local files, API keys, or outbound network requests are involved

Project Scope Notes

ai_security_lab is a local-first teaching project. Even so, a few areas are worth treating carefully:

  • untrusted uploaded content in examples/uploads/
  • local API exposure on non-loopback networks
  • provider endpoint, model, and API key configuration
  • role and retrieval boundaries around policy content
  • audit, export, and example data flows that may surface sensitive text

Safe Defaults

When contributing, prefer:

  • loopback-only local server examples
  • explicit local file paths
  • no hidden network calls
  • predictable JSON responses
  • clear documentation when a change affects trust boundaries, local files, or API behavior
  • extra caution before binding the web app to a non-loopback host

There aren't any published security advisories