# Security Policy ## Reporting Security Vulnerabilities The Tractatus Framework takes security seriously. We appreciate your efforts to responsibly disclose your findings. ### Where to Report **Please DO NOT report security vulnerabilities through public GitHub issues.** Instead, please report security vulnerabilities by emailing: **security@agenticgovernance.digital** ### What to Include To help us better understand and resolve the issue, please include as much of the following information as possible: - **Type of vulnerability** (e.g., SQL injection, cross-site scripting, authentication bypass) - **Full paths of affected source files** - **Location of the affected code** (tag/branch/commit or direct URL) - **Step-by-step instructions to reproduce the issue** - **Proof-of-concept or exploit code** (if applicable) - **Impact of the vulnerability** (what an attacker could achieve) - **Suggested mitigation** (if you have one) ### What to Expect When you report a vulnerability, you can expect: 1. **Acknowledgment**: We will acknowledge receipt of your report within **48 hours** 2. **Assessment**: We will assess the vulnerability and determine its severity 3. **Updates**: We will keep you informed of our progress 4. **Resolution**: We will work to release a fix as quickly as possible 5. **Credit**: With your permission, we will credit you in the security advisory ### Disclosure Policy - We request that you give us a reasonable amount of time to address the vulnerability before public disclosure - We will keep you informed of our remediation timeline - Once a fix is released, we will publish a security advisory crediting you (unless you prefer to remain anonymous) ### Supported Versions We currently support the following versions with security updates: | Version | Supported | | ------- | ------------------ | | 3.5.x | ✅ Yes | | < 3.5 | ❌ Not supported | Only the latest minor version receives security updates. We strongly recommend keeping your installation up to date. ## Security Best Practices for Implementers If you're implementing the Tractatus Framework in your own project, we recommend: ### 1. Environment Security - **Never commit `.env` files** to version control - **Rotate secrets regularly** (JWT secrets, API keys, database credentials) - **Use strong passwords** for MongoDB and admin accounts - **Enable MongoDB authentication** in production - **Use TLS/SSL** for all connections in production ### 2. Network Security - **Use firewalls** to restrict access to MongoDB and application ports - **Enable rate limiting** (already configured in the framework) - **Use reverse proxy** (nginx/Apache) with HTTPS - **Configure CORS** appropriately for your use case - **Monitor failed authentication attempts** ### 3. Deployment Security - **Run as non-root user** (framework defaults to this) - **Use Docker secrets** for sensitive configuration - **Keep dependencies updated** (`npm audit` regularly) - **Enable security headers** (already configured) - **Disable debug logs** in production ### 4. Database Security - **Create read-only database users** for reporting - **Enable MongoDB access control** - **Backup encryption keys** securely - **Regular security audits** of database access logs - **Implement data retention policies** ### 5. API Security - **Validate all input** (framework provides validation middleware) - **Sanitize error responses** (already configured) - **Use authentication** for all admin endpoints - **Implement request signing** for critical operations - **Monitor for unusual API patterns** ## Known Security Considerations ### MongoDB Connection The framework uses MongoDB for persistence. Ensure your MongoDB instance: - Has authentication enabled - Is not exposed to the public internet - Uses encrypted connections (TLS) - Has appropriate network firewall rules - Is regularly backed up ### Rate Limiting The framework includes rate limiting middleware configured for: - **Public endpoints**: 100 requests per 15 minutes per IP - **Adjustable limits**: See `src/config/app.config.js` Adjust these limits based on your expected traffic and security requirements. ### Session Management The framework uses MongoDB to store session state. Ensure: - Sessions have appropriate timeouts - Session data is regularly cleaned up - Sensitive data is not stored in sessions ### Input Validation All API endpoints include input validation middleware. However: - Additional validation may be needed for your specific use case - Always validate data at multiple layers - Never trust client-side validation alone ## Security Updates We will publish security advisories for any vulnerabilities discovered in the framework: - **GitHub Security Advisories**: https://github.com/AgenticGovernance/tractatus-framework/security/advisories - **Mailing List**: Subscribe at https://agenticgovernance.digital for security notifications ## Compliance The Tractatus Framework is designed with security best practices in mind: - **OWASP Top 10**: Protections against common vulnerabilities - **Input Validation**: All endpoints validate input - **Output Encoding**: Responses are sanitized - **Security Headers**: Helmet middleware with custom CSP - **Error Handling**: No stack traces in production ## Security Audit History | Date | Type | Findings | Status | |------------|----------------|----------|----------| | 2025-10-21 | Internal Review| 0 Critical| Resolved | We welcome third-party security audits. Please contact us if you're interested in conducting an audit. ## Contact For security-related questions or concerns: - **Email**: security@agenticgovernance.digital - **Documentation**: https://agenticgovernance.digital - **GitHub Issues**: For non-security bugs only ## Acknowledgments We would like to thank the following individuals for responsibly disclosing security vulnerabilities: *(None reported yet - this is the initial release)* --- **Thank you for helping keep Tractatus Framework and our community safe!**