We take the security of Graphora seriously. If you discover a security vulnerability, please follow these steps:
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Send your vulnerability report to: support@graphora.io
Include the following information:
- Type of vulnerability
- Full paths of source files related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability
- Any potential mitigations you've identified
- Acknowledgment: We'll acknowledge receipt within 48 hours
- Updates: We'll keep you informed about our progress
- Timeline: We aim to provide an initial assessment within 7 days
- Fix: Critical issues will be addressed immediately; others within 30 days
- Disclosure: We'll coordinate with you on public disclosure timing
We request that you:
- Allow us reasonable time to fix the vulnerability before public disclosure
- Avoid exploiting the vulnerability or sharing it with others
- Do not access, modify, or delete data that isn't yours
- Act in good faith and avoid privacy violations
If you responsibly disclose a security issue:
- We'll acknowledge you in our security advisory (unless you prefer to remain anonymous)
- We may offer a bounty for critical vulnerabilities (case-by-case basis)
| Version | Supported |
|---|---|
| main | ✅ |
| < 1.0 | ❌ |
We currently support only the latest version. Security fixes will be backported on a case-by-case basis for critical issues.
When deploying Graphora API:
- Implement strong authentication mechanisms
- Use API keys or OAuth tokens
- Validate user permissions for all operations
- Rotate credentials regularly
- Always use HTTPS in production
- Configure CORS appropriately
- Implement rate limiting per user/IP
- Use firewall rules to restrict access
- Validate all user inputs
- Sanitize file uploads
- Limit file sizes and types
- Use Pydantic models for validation
- Use parameterized queries (no raw Cypher)
- Implement connection pooling with limits
- Use read-only connections where possible
- Enable Neo4j authentication
- Encrypt database connections
- Implement request signing
- Use CSRF protection
- Set appropriate timeout values
- Log all security-relevant events
- Implement request size limits
- Use environment variables for all secrets
- Never commit
.envfiles - Use secret management services (AWS Secrets Manager, HashiCorp Vault)
- Rotate API keys regularly
- Use different keys per environment
- Validate LLM responses
- Implement output filtering
- Set token limits
- Monitor for prompt injection attempts
- Use structured outputs where possible
- Validate file types before processing
- Scan uploads for malware
- Use isolated environments for processing
- Implement file size limits
- Clean up temporary files
- Regularly update dependencies (
uv sync --upgrade) - Monitor security advisories
- Use
pip-auditor similar tools - Review dependency licenses
- Log authentication attempts
- Monitor for unusual patterns
- Implement alerting for security events
- Retain logs for audit purposes
- Protect log data
- Use minimal container images
- Scan images for vulnerabilities
- Run with non-root users
- Use security scanning in CI/CD
- Implement secrets scanning
- SQL/Cypher injection - Use parameterized queries
- Command injection - Validate and sanitize inputs
- Prompt injection - Validate LLM inputs/outputs
- Broken authentication - Use established libraries
- Session fixation - Regenerate session IDs
- Credential stuffing - Implement rate limiting
- Sensitive data exposure - Encrypt at rest and in transit
- Excessive data exposure - Return only necessary fields
- Insufficient logging - Log security events
- Broken access control - Validate permissions
- IDOR - Use UUIDs, validate ownership
- Path traversal - Validate file paths
- Input validation with Pydantic
- CORS configuration
- Request timeouts
- Error handling (no sensitive data in errors)
- Rate limiting (implement in production)
- API key rotation
- Audit logging
- Security headers
- Request signing
In case of a security incident:
- Contain: Isolate affected systems
- Investigate: Determine scope and impact
- Notify: Inform affected users
- Remediate: Deploy fixes
- Document: Record lessons learned
Security updates will be announced through:
- GitHub Security Advisories
- Release notes
- Email notifications (for registered users)
- Security mailing list
- Security Issues: support@graphora.io
- General Questions: See SUPPORT.md
- Enterprise Support: support@graphora.io
Graphora API is designed to support:
- GDPR compliance (data processing)
- SOC 2 requirements (with proper configuration)
- HIPAA considerations (healthcare deployments)
Note: Compliance certification is the responsibility of the deploying organization.
Thank you for helping keep Graphora secure!