langchain/SECURITY.md
Eugene Yurtsev 41e2f60cd2
Updated security policy (#19089)
Updated security policy
2024-03-14 20:58:47 +00:00

2.5 KiB

Security Policy

Reporting OSS Vulnerabilities

LangChain is partnered with huntr by Protect AI to provide a bounty program for our open source projects.

Please report security vulnerabilities associated with the LangChain open source projects by visiting the following link:

https://huntr.com/bounties/disclose/

Before reporting a vulnerability, please review:

  1. In-Scope Targets and Out-of-Scope Targets below.
  2. The langchain-ai/langchain monorepo structure.
  3. LangChain security guidelines to understand what we consider to be a security vulnerability vs. developer responsibility.

In-Scope Targets

The following packages and repositories are eligible for bug bounties:

  • langchain-core
  • langchain (see exceptions)
  • langchain-community (see exceptions)
  • langgraph
  • langserve

Out of Scope Targets

All out of scope targets defined by huntr as well as:

  • langchain-experimental: This repository is for experimental code and is not eligible for bug bounties, bug reports to it will be marked as interesting or waste of time and published with no bounty attached.
  • tools: Tools in either langchain or langchain-community are not eligible for bug bounties. This includes the following directories
    • langchain/tools
    • langchain-community/tools
    • Please review our security guidelines for more details, but generally tools interact with the real world. Developers are expected to understand the security implications of their code and are responsible for the security of their tools.
  • Code documented with security notices. This will be decided done on a case by case basis, but likely will not be eligible for a bounty as the code is already documented with guidelines for developers that should be followed for making their application secure.
  • Any LangSmith related repositories or APIs see below.

Reporting LangSmith Vulnerabilities

Please report security vulnerabilities associated with LangSmith by email to security@langchain.dev.

Other Security Concerns

For any other security concerns, please contact us at security@langchain.dev.