| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security seriously. If you discover a security vulnerability within RFP Analyzer, please follow these steps:
- Open a public GitHub issue for security vulnerabilities
- Disclose the vulnerability publicly before it has been addressed
-
Open a private security advisory at GitHub Security with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
-
Allow time for response - We will acknowledge receipt within 48 hours and provide an estimated timeline for a fix.
-
Coordinate disclosure - Work with us to coordinate the public disclosure after a fix is available.
When deploying RFP Analyzer, follow these security best practices:
-
Use Managed Identity (Recommended)
- Azure Container Apps is configured with User-Assigned Managed Identity
- No credentials stored in code or environment variables
- Automatic credential rotation
-
Service Principal (Alternative)
- If using service principal, store credentials in Azure Key Vault
- Rotate secrets regularly (at least every 90 days)
- Use least-privilege principle for role assignments
-
Azure RBAC Roles The application requires these minimum roles:
Cognitive Services User- For AI service accessAzure AI Developer- For AI Foundry operationsAcrPull- For container image pulls
-
Private Endpoints (Production)
- Configure private endpoints for Azure AI services
- Use VNet integration for Container Apps
- Restrict public access to essential endpoints only
-
Ingress Control
- Enable HTTPS only (HTTP redirects to HTTPS)
- Configure IP restrictions if needed
- Use Azure Front Door or Application Gateway for WAF protection
-
In Transit
- All communication uses TLS 1.2+
- Azure services enforce encrypted connections
-
At Rest
- Uploaded documents are processed in memory
- No persistent storage of sensitive data
- Azure AI services encrypt data at rest
-
Data Handling
- Documents are not retained after processing
- Clear session state after use
- No logging of document contents
-
Dependencies
- Regularly update dependencies (
uv sync --upgrade) - Monitor for CVEs in dependencies
- Use
uv auditto check for vulnerabilities
- Regularly update dependencies (
-
Environment Variables
- Never commit
.envfiles - Use Azure Key Vault for production secrets
- Rotate API keys if exposed
- Never commit
-
Logging
- Sensitive data is not logged
- Enable Application Insights for security monitoring
- Configure alerts for suspicious activity
-
Image Security
- Base image:
python:3.13-slim(minimal attack surface) - Regular base image updates
- No root user in container
- Base image:
-
Registry Security
- Private Azure Container Registry
- Managed identity for image pulls
- Enable vulnerability scanning
When processing RFP documents, consider:
-
Data Classification
- RFPs may contain confidential business information
- Vendor proposals may have proprietary content
- Implement appropriate access controls
-
Data Residency
- Deploy Azure resources in appropriate regions
- Understand Azure AI data processing locations
- Configure data residency as required
-
Audit Logging
- Enable Azure Activity Log
- Configure Log Analytics for retention
- Implement access auditing
- Review and update all dependencies
- Scan container image for vulnerabilities
- Configure managed identity (not service principal with secrets)
- Review RBAC role assignments (least privilege)
- Configure network security (VNet, private endpoints if required)
- Deploy to appropriate Azure region
- Enable HTTPS only
- Configure Application Insights
- Verify no secrets in logs
- Test authentication flows
- Enable Azure Security Center recommendations
- Configure security alerts
- Document incident response procedures
- Schedule regular security reviews
- Plan for dependency updates
Security updates will be released as patch versions. Subscribe to repository releases to be notified of security patches.
For security concerns, open a private security advisory