The BizInsight AI team takes security seriously. This document outlines how to responsibly report security vulnerabilities and what you can expect after submitting a report.
Since BizInsight AI handles sensitive data including customer reviews, API keys, SQLite databases, ChromaDB vector storage, and a FastAPI backend, responsible disclosure is critical.
Only the latest version of the main branch is actively maintained and
receives security fixes.
| Version / Release | Supported |
|---|---|
main (latest) |
Yes |
| < v1.0 | No |
Please do NOT report security vulnerabilities via public GitHub Issues. Public disclosure before a fix is in place puts all users at risk.
- Open a GitHub Security Advisory (preferred):
- Go to the repository, click the Security tab, then Advisories, then Report a vulnerability (if enabled)
- Describe the vulnerability in detail
- Or contact the maintainer directly via email: prateekiiitg56@gmail.com
Please provide as much of the following as possible:
- Type of vulnerability (e.g., API key exposure, SQL injection, IDOR)
- Location — file name, function, or endpoint affected
- Step-by-step reproduction instructions
- Potential impact — what an attacker could achieve
- Suggested fix (optional but appreciated)
| Timeline | Action |
|---|---|
| Within 48 hours | Acknowledgement of your report |
| Within 7 days | Initial assessment and severity classification |
| Within 14 days | Fix in progress or workaround communicated |
| After fix | Credit given to reporter (if desired) in release notes |
We will keep you informed at each step. If you do not receive a response within 48 hours, please follow up.
- Exposed or hardcoded API keys (OpenRouter, etc.)
- Authentication or authorization bypass in the FastAPI backend
- Insecure data storage (SQLite, ChromaDB)
- Injection attacks (SQL injection, prompt injection via LLM pipeline)
- Sensitive data leakage through API responses
- Vulnerabilities in environment variable or secrets management
- Dependencies with a known CVE and an exploitable path
- Vulnerabilities in third-party services (OpenRouter, Google Gemini, etc.)
- Issues requiring physical access to the machine
- Social engineering attacks
- Theoretical vulnerabilities with no practical exploit path
- Issues already tracked in public GitHub Issues
- Never commit
.envfiles or API keys to the repository - Use
.env.examplefor environment variable templates - Always use
python-dotenvto load secrets from environment variables - Always validate user-uploaded CSV inputs — check for required columns, drop empty rows, and guard against CSV formula injection in
app.py - Keep dependencies up to date by running
pip install -r requirements.txtregularly - Report any accidental secret exposure immediately
We accept security reports in English.
We are grateful to security researchers and contributors who help keep BizInsight AI safe. Responsible disclosures will be credited in our release notes with your permission.
This security policy follows recommended practices from GitHub's security advisory guidelines.