Please do not open a public GitHub issue for suspected security problems.
If GitHub private vulnerability reporting is enabled for this repository, use that channel. Otherwise, contact the maintainer privately through GitHub before publishing details.
Include:
- a short description of the issue
- affected files, commands, or workflows
- steps to reproduce when possible
- impact assessment, especially if local files, API keys, or outbound network requests are involved
ai_security_lab is a local-first teaching project. Even so, a few areas are
worth treating carefully:
- untrusted uploaded content in
examples/uploads/ - local API exposure on non-loopback networks
- provider endpoint, model, and API key configuration
- role and retrieval boundaries around policy content
- audit, export, and example data flows that may surface sensitive text
When contributing, prefer:
- loopback-only local server examples
- explicit local file paths
- no hidden network calls
- predictable JSON responses
- clear documentation when a change affects trust boundaries, local files, or API behavior
- extra caution before binding the web app to a non-loopback host