We take security seriously – and we practice what we preach about transparency.

If you discover a security vulnerability in RAXE CE, please help us responsibly disclose it. We believe in transparency, but responsible disclosure protects our users while fixes are being developed.

• Do NOT open a public GitHub issue
• Do NOT discuss the vulnerability publicly
• Do NOT exploit the vulnerability

Report vulnerabilities privately to: security@raxe.ai

Please include:

1. Description - What is the vulnerability?
2. Impact - What could an attacker do?
3. Reproduction - Step-by-step instructions
4. Environment - OS, Python version, RAXE version
5. Suggested fix - If you have ideas

We will:

• Acknowledge your report within 48 hours
• Investigate and validate the issue
• Fix confirmed vulnerabilities in priority order
• Credit you in release notes (if desired)
• Keep you updated throughout the process

• Remote code execution
• Authentication bypass
• Data leakage of PII/secrets
• SQL injection
• Privilege escalation

• Denial of service (DoS)
• XSS or injection vulnerabilities
• Insecure defaults
• Cryptographic failures

• Information disclosure (non-PII)
• Missing security headers
• Weak encryption
• CSRF vulnerabilities

• Security misconfiguration
• Verbose error messages
• Missing rate limiting

We provide security updates for:

Once v1.0 is released, we will support the latest major version + one prior version.

We use GitHub CodeQL for continuous security scanning with custom configuration to suppress verified false positives.

• Security-critical vulnerabilities: 0 confirmed
• False positives suppressed: 2 (documented below)
• Configuration: See .github/codeql-config.yml

Our security team has reviewed and verified the following CodeQL alerts as false positives:

Each suppression is documented in .github/codeql-config.yml with review dates and security analyst sign-off.

When using RAXE CE:

1. Keep updated - Update to the latest version regularly
2. Protect API keys - Never commit API keys to version control
3. Review telemetry - Understand what data is sent (see README)
4. Use HTTPS - Always use encrypted connections
5. Validate inputs - Don't trust user input blindly

Environment variables:

# Store sensitive values in .env (NOT in code)
RAXE_API_KEY=your_secret_key_here

Never commit:

• API keys
• Passwords
• Certificates
• Private keys

When contributing code:

1. No secrets in code - Use environment variables
2. Parameterized queries - Prevent SQL injection
3. Input validation - Validate all user input
4. Dependency scanning - Run bandit before committing
5. Minimal permissions - Request only needed permissions

Pre-commit checks:

# Security scan
bandit -r src/raxe

# Dependency check
pip-audit

# Secret detection
detect-secrets scan

Unlike vendors who claim "privacy-first" while sending your data to their cloud, RAXE's privacy guarantees are verifiable:

• Local scanning - Detection happens on your machine (audit the code!)
• PII hashing - Prompts are SHA-256 hashed before transmission (one-way, irreversible)
• Configurable telemetry - You control what's sent (disable completely if needed)
• No prompt storage - We never store raw prompts (provably impossible with our architecture)
• Open source - Every line is auditable at github.com/raxe-ai/raxe-ce

• Fail open - If RAXE fails, your app continues (configurable)
• Rate limiting - Prevents abuse
• Circuit breaker - Graceful degradation under load
• Encrypted transmission - All cloud communication uses TLS

What we hash:

# SHA-256 hash of prompts (one-way, irreversible)
prompt_hash = hashlib.sha256(prompt.encode()).hexdigest()

What we send:

• Hashed prompts (SHA-256)
• Rule IDs that matched
• Severity scores
• Timestamps
• Environment metadata (OS, Python version)

What we NEVER send:

• Raw prompts
• User PII
• API keys
• Source code
• Private data

1. Day 0 - Vulnerability reported
2. Day 1-2 - Acknowledgment sent
3. Day 3-7 - Investigation and validation
4. Day 7-14 - Fix developed and tested
5. Day 14-21 - Coordinated disclosure with reporter
6. Day 21+ - Public disclosure and CVE assignment

We recognize security researchers who responsibly disclose vulnerabilities:

No vulnerabilities reported yet. Be the first!

• Email: security@raxe.ai
• PGP Key: Available at https://raxe.ai/pgp
• Bug Bounty: Coming soon

We assign CVEs for all security vulnerabilities. Check:

• GitHub Security Advisories
• NIST NVD

We are planning a comprehensive third-party security audit before v1.0 release. Audit reports will be published here once completed.

RAXE CE is designed to support compliance frameworks through verifiable architecture, not just buzzword compliance:

• GDPR - Privacy by design (local-first architecture), data minimization (only hashes transmitted)
• SOC 2 - Security controls and audit logging (all open source, fully auditable)
• ISO 27001 - Information security management (documented processes, open source controls)
• OWASP Top 10 - Secure coding practices (pre-commit hooks, security scanning in CI/CD)

We don't just claim compliance – we build it into our architecture so you can verify it yourself.

• OWASP Top 10
• CWE Top 25
• NIST Cybersecurity Framework

At RAXE, we believe:

• 🔍 Transparency builds trust - Open source enables real security, not security theater
• 📖 Verifiable beats claimable - Don't trust us, audit us
• 🔒 Privacy by architecture - Technical controls beat policy promises
• 🎓 Education prevents vulnerabilities - Understanding threats is as important as blocking them
• 🤝 Community improves security - More eyes = better security

Security through obscurity is snake oil. We choose transparency.

Thank you for helping keep RAXE CE and our users safe! 🛡️