Hi there! Thanks for caring about the safety and stability of search.elixpo — the intelligent search service that powers search.elixpo.com. We really appreciate folks who help us keep the platform trustworthy for everyone who searches, browses, and builds on top of it.

If you've found a security issue in our code, APIs, or infrastructure, please help us protect the community:

1. Reach out privately. Please don't open a public GitHub issue, discussion, or PR describing the vulnerability. Instead:

   • Email us at ayushman@myceli.ai
   • Use GitHub's private vulnerability reporting on the repo

2. What to include. The more detail, the faster we can fix it:

   • A clear description of what you found
   • Steps to reproduce or a proof-of-concept (curl command, short script, screenshots)
   • The affected component (backend pipeline, nginx gateway, frontend, IPC service, Redis/Chroma, etc.)
   • Why it matters and what an attacker could do
   • Any ideas for mitigation — always welcome

3. How we respond. We aim to acknowledge reports within 72 hours and keep you updated as we triage and patch. Once the fix ships, we'll publish an advisory and — with your consent — credit you for the find.

4. Recognition. Security-minded contributors keep search.elixpo strong. If you'd like credit, we'll name you in the advisory and release notes; if you'd rather stay anonymous, just say so.

This policy covers the pollinations/search.elixpo repository, including:

• The search.elixpo backend (Quart API, pipeline, tool execution, RAG service)
• The IPC embedding + search-agent service and its Playwright browsers
• The nginx gateway and its authenticated/unauthenticated routes on port 10001
• Shared infrastructure used by the service: Redis (semantic cache + session store), Chroma (vector DB), and on-disk conversation archives
• The search.elixpo Cloudflare Pages frontend and its edge routes
• Deployment scripts, Docker Compose configuration, and CI in this repo

If you find something in a third-party dependency, please report it to that project's maintainers unless the issue arises specifically from our integration.

We'd especially like to hear about:

• Remote code execution, privilege escalation, or command injection in any service
• Authentication or authorization bypasses — including nginx API-key checks, internal service-to-service auth, and SSO (Elixpo Accounts) flows
• Cross-session or cross-user data leaks — conversation history, bookmarks, cached embeddings, or user profile data surfacing in the wrong session
• Prompt injection or tool-call abuse that causes the pipeline to fetch unauthorized resources, exfiltrate server state, or produce privileged output
• Leaks of sensitive data in logs, error messages, SSE streams, or API responses (tokens, internal URLs, raw prompts, HF/Pollinations credentials)
• Abuse of search / image / chat endpoints that bypasses guest rate limits, burns API credits, or enables denial of service
• SSRF or open-proxy behavior in the fetch_full_text, web_search, or surf tools
• Misconfigurations: debug endpoints left open, secrets in the built image, unauthenticated admin routes, permissive CORS/CSP
• Supply-chain attacks via dependencies, Docker base images, or GitHub Actions

While we appreciate the feedback, these are not considered security vulnerabilities:

• Self-XSS (attacks that require you to paste hostile input into your own browser)
• Volumetric denial of service that only works by exceeding documented rate limits, without a new exploit
• Bugs in unrelated projects vendored for reference
• Social engineering targeting our team or community
• Feature requests or disagreements with how the LLM responds to a prompt
• Missing security headers on routes that don't serve sensitive content
• Reports generated by automated scanners without a working proof-of-concept

search.elixpo is built on open collaboration and mutual respect. Please be kind when you report issues, and please don't test against production in ways that could affect other users (large-scale fuzzing, account takeover attempts on real accounts, etc.). If you're unsure whether a test is safe, ask us first.

For general questions, open a GitHub Discussion — but never share sensitive security details in public spaces.

Every report, every patch, every heads-up makes search.elixpo safer for everyone who uses it. Thank you for taking the time.

— the search.elixpo maintainers

For urgent or sensitive issues: always use private contact (ayushman@myceli.ai or GitHub's private vulnerability reporting). Public posts may be missed.

(Last updated: 2026-04-24)