github/langchain
1
0
Fork 0
mirror of https://github.com/hwchase17/langchain.git synced 2025-08-20 09:57:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: markdownlint SECURITY.md (#32258)

Browse Source
This commit is contained in:
Mason Daugherty 2025-07-27 19:55:25 -04:00 committed by GitHub
parent efdfa00d10
commit eafab52483
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 18 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
SECURITY.md
View File

@ -11,6 +11,7 @@ When building such applications developers should remember to follow good securi
* [**Defense in Depth**](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)): No security technique is perfect. Fine-tuning and good chain design can reduce, but not eliminate, the odds that a Large Language Model (LLM) may make a mistake. It's best to combine multiple layered security approaches rather than relying on any single layer of defense to ensure security. For example: use both read-only permissions and sandboxing to ensure that LLMs are only able to access data that is explicitly meant for them to use. * [**Defense in Depth**](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)): No security technique is perfect. Fine-tuning and good chain design can reduce, but not eliminate, the odds that a Large Language Model (LLM) may make a mistake. It's best to combine multiple layered security approaches rather than relying on any single layer of defense to ensure security. For example: use both read-only permissions and sandboxing to ensure that LLMs are only able to access data that is explicitly meant for them to use.
Risks of not doing so include, but are not limited to: Risks of not doing so include, but are not limited to:
* Data corruption or loss. * Data corruption or loss.
* Unauthorized access to confidential information. * Unauthorized access to confidential information.
* Compromised performance or availability of critical resources. * Compromised performance or availability of critical resources.
@ -45,39 +46,39 @@ Before reporting a vulnerability, please review:
The following packages and repositories are eligible for bug bounties: The following packages and repositories are eligible for bug bounties:
- langchain-core * langchain-core
- langchain (see exceptions) * langchain (see exceptions)
- langchain-community (see exceptions) * langchain-community (see exceptions)
- langgraph * langgraph
- langserve * langserve
### Out of Scope Targets ### Out of Scope Targets
All out of scope targets defined by huntr as well as: All out of scope targets defined by huntr as well as:
- **langchain-experimental**: This repository is for experimental code and is not * **langchain-experimental**: This repository is for experimental code and is not
eligible for bug bounties (see [package warning](https://pypi.org/project/langchain-experimental/)), bug reports to it will be marked as interesting or waste of eligible for bug bounties (see [package warning](https://pypi.org/project/langchain-experimental/)), bug reports to it will be marked as interesting or waste of
time and published with no bounty attached. time and published with no bounty attached.
- **tools**: Tools in either langchain or langchain-community are not eligible for bug * **tools**: Tools in either langchain or langchain-community are not eligible for bug
bounties. This includes the following directories bounties. This includes the following directories
- libs/langchain/langchain/tools * libs/langchain/langchain/tools
- libs/community/langchain_community/tools * libs/community/langchain_community/tools
- Please review the [Best Practices](#best-practices) * Please review the [Best Practices](#best-practices)
for more details, but generally tools interact with the real world. Developers are for more details, but generally tools interact with the real world. Developers are
expected to understand the security implications of their code and are responsible expected to understand the security implications of their code and are responsible
for the security of their tools. for the security of their tools.
- Code documented with security notices. This will be decided on a case by * Code documented with security notices. This will be decided on a case by
case basis, but likely will not be eligible for a bounty as the code is already case basis, but likely will not be eligible for a bounty as the code is already
documented with guidelines for developers that should be followed for making their documented with guidelines for developers that should be followed for making their
application secure. application secure.
- Any LangSmith related repositories or APIs (see [Reporting LangSmith Vulnerabilities](#reporting-langsmith-vulnerabilities)). * Any LangSmith related repositories or APIs (see [Reporting LangSmith Vulnerabilities](#reporting-langsmith-vulnerabilities)).
## Reporting LangSmith Vulnerabilities ## Reporting LangSmith Vulnerabilities
Please report security vulnerabilities associated with LangSmith by email to `security@langchain.dev`. Please report security vulnerabilities associated with LangSmith by email to `security@langchain.dev`.
- LangSmith site: https://smith.langchain.com * LangSmith site: <https://smith.langchain.com>
- SDK client: https://github.com/langchain-ai/langsmith-sdk * SDK client: <https://github.com/langchain-ai/langsmith-sdk>
### Other Security Concerns ### Other Security Concerns