Please do not report security vulnerabilities through public GitHub issues.

Instead, please email security@vichara.ai with:

• A description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Any suggested fix (optional)

You will receive an acknowledgment within 48 hours.

We aim to release a patch within 14 days of confirmation for critical vulnerabilities.

Vichara AI follows OWASP Top 10 guidance:

• SQL Injection — All database queries use parameterised statements via pgx
• Authentication — API tokens via Authorization header (configure in production)
• Secrets — Never stored in source code; loaded via environment variables or Kubernetes Secrets
• TLS — PostgreSQL SSL mode configurable; enforce sslmode=require in production
• Input Validation — All API inputs are validated before processing
• Dependency Scanning — Automated via GitHub Dependabot
• Container Security — Distroless base image, non-root user, read-only filesystem

• Set strong, unique database password via VICHARA_DATABASE_PASSWORD
• Set Redis requirepass and VICHARA_REDIS_PASSWORD
• Enable PostgreSQL SSL: VICHARA_DATABASE_SSL_MODE=require
• Run behind a TLS-terminating reverse proxy (e.g., nginx, Traefik)
• Restrict network access to internal services (Postgres, Redis)
• Enable structured JSON logging and ship to a SIEM
• Monitor Prometheus metrics for anomalies

After we patch a vulnerability and release a fix, we will publish a security advisory on GitHub. We follow responsible disclosure principles.