From eafab524835242730dc1efc87f41ae8121ec1bc1 Mon Sep 17 00:00:00 2001 From: Mason Daugherty Date: Sun, 27 Jul 2025 19:55:25 -0400 Subject: [PATCH] refactor: markdownlint `SECURITY.md` (#32258) --- SECURITY.md | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index a8fe367ed5c..1b7589235f1 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -11,6 +11,7 @@ When building such applications developers should remember to follow good securi * [**Defense in Depth**](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)): No security technique is perfect. Fine-tuning and good chain design can reduce, but not eliminate, the odds that a Large Language Model (LLM) may make a mistake. It's best to combine multiple layered security approaches rather than relying on any single layer of defense to ensure security. For example: use both read-only permissions and sandboxing to ensure that LLMs are only able to access data that is explicitly meant for them to use. Risks of not doing so include, but are not limited to: + * Data corruption or loss. * Unauthorized access to confidential information. * Compromised performance or availability of critical resources. @@ -27,10 +28,10 @@ design and secure your applications. ## Reporting OSS Vulnerabilities -LangChain is partnered with [huntr by Protect AI](https://huntr.com/) to provide -a bounty program for our open source projects. +LangChain is partnered with [huntr by Protect AI](https://huntr.com/) to provide +a bounty program for our open source projects. -Please report security vulnerabilities associated with the LangChain +Please report security vulnerabilities associated with the LangChain open source projects [here](https://huntr.com/bounties/disclose/?target=https%3A%2F%2Fgithub.com%2Flangchain-ai%2Flangchain&validSearch=true). Before reporting a vulnerability, please review: @@ -45,39 +46,39 @@ Before reporting a vulnerability, please review: The following packages and repositories are eligible for bug bounties: -- langchain-core -- langchain (see exceptions) -- langchain-community (see exceptions) -- langgraph -- langserve +* langchain-core +* langchain (see exceptions) +* langchain-community (see exceptions) +* langgraph +* langserve ### Out of Scope Targets All out of scope targets defined by huntr as well as: -- **langchain-experimental**: This repository is for experimental code and is not +* **langchain-experimental**: This repository is for experimental code and is not eligible for bug bounties (see [package warning](https://pypi.org/project/langchain-experimental/)), bug reports to it will be marked as interesting or waste of time and published with no bounty attached. -- **tools**: Tools in either langchain or langchain-community are not eligible for bug +* **tools**: Tools in either langchain or langchain-community are not eligible for bug bounties. This includes the following directories - - libs/langchain/langchain/tools - - libs/community/langchain_community/tools - - Please review the [Best Practices](#best-practices) + * libs/langchain/langchain/tools + * libs/community/langchain_community/tools + * Please review the [Best Practices](#best-practices) for more details, but generally tools interact with the real world. Developers are expected to understand the security implications of their code and are responsible for the security of their tools. -- Code documented with security notices. This will be decided on a case by +* Code documented with security notices. This will be decided on a case by case basis, but likely will not be eligible for a bounty as the code is already documented with guidelines for developers that should be followed for making their application secure. -- Any LangSmith related repositories or APIs (see [Reporting LangSmith Vulnerabilities](#reporting-langsmith-vulnerabilities)). +* Any LangSmith related repositories or APIs (see [Reporting LangSmith Vulnerabilities](#reporting-langsmith-vulnerabilities)). ## Reporting LangSmith Vulnerabilities Please report security vulnerabilities associated with LangSmith by email to `security@langchain.dev`. -- LangSmith site: https://smith.langchain.com -- SDK client: https://github.com/langchain-ai/langsmith-sdk +* LangSmith site: +* SDK client: ### Other Security Concerns