We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
The LongProbe team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing:
To help us better understand and resolve the issue, please include as much of the following information as possible:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Updates: We will send you regular updates about our progress
- Timeline: We aim to resolve critical issues within 7 days
- Credit: If you wish, we will publicly credit you for the discovery once the issue is resolved
When using LongProbe in production:
-
Environment Variables: Store sensitive credentials (API keys, database passwords) in environment variables, not in configuration files
# Good api_key: "${OPENAI_API_KEY}" # Bad api_key: "sk-proj-abc123..."
-
File Permissions: Restrict access to configuration files containing sensitive data
chmod 600 longprobe.yaml chmod 700 .longprobe/
-
Network Security: When using HTTP adapters, always use HTTPS in production
retriever: type: "http" url: "https://api.example.com/retrieve" # Use HTTPS
-
Input Validation: Validate and sanitize user inputs before using them in queries
-
Dependency Updates: Keep LongProbe and its dependencies up to date
pip install --upgrade longprobe
-
Baseline Database: Protect your baseline database file from unauthorized access
chmod 600 .longprobe/baselines.db
-
CI/CD Secrets: Use GitHub Secrets or equivalent for API keys in CI/CD pipelines
env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
LongProbe may use LLM APIs (OpenAI, Anthropic, etc.) for question generation. Always:
- Store API keys in environment variables
- Never commit API keys to version control
- Rotate keys regularly
- Use least-privilege API keys when possible
When connecting to vector databases:
- Use read-only credentials when possible
- Implement network-level access controls
- Use encrypted connections (TLS/SSL)
The HTTP adapter makes requests to external endpoints:
- Validate SSL certificates (don't disable verification)
- Use authentication headers securely
- Be cautious with untrusted endpoints
- Implement rate limiting on your API endpoints
When using the document parser with untrusted files:
- Be aware that parsing PDFs/DOCX can execute embedded code
- Run parsing in isolated environments for untrusted documents
- Validate file types before parsing
The SQLite baseline database stores test results:
- Contains retrieval results and chunk content
- May include sensitive information from your documents
- Protect with appropriate file permissions
- Consider encryption for highly sensitive data
When we receive a security bug report, we will:
- Confirm the problem and determine affected versions
- Audit code to find similar problems
- Prepare fixes for all supported versions
- Release patches as soon as possible
We will coordinate the disclosure with you and credit you in the release notes (unless you prefer to remain anonymous).
Security updates will be released as patch versions (e.g., 0.1.1) and announced via:
- GitHub Security Advisories
- Release notes in CHANGELOG.md
- PyPI release notes
Subscribe to GitHub releases to stay informed.
If you have suggestions on how this process could be improved, please submit a pull request or email opensource@endevsols.com.
Last Updated: May 5, 2026