SECURITY.md

We support the most recent minor release line ofneuralcache. Security fixes arebackported to the latest published version on PyPI. Older minors may receive fixeson a best-effort basis only if they are no more than one release behind.

If you discover a security issue, please emailsecurity@carnotengine.com with thefollowing details:

• A clear description of the vulnerability.
• Steps or proof-of-concept required to reproduce the issue.
• The impact you believe the vulnerability has.
• Any suggested fixes or mitigations.

We aim to acknowledge new reports within3 business days and will keep you updatedon progress. Please do not open public GitHub issues for potential vulnerabilities.

Do not include production embeddings, proprietary documents, or user PII in issue attachments ortest cases. Provide hashes or synthetic surrogates where possible.

NeuralCache can store reranking telemetry in SQLite. When deploying to production:

• Place the SQLite database on encrypted storage.
• Rotate API tokens stored in environment variables regularly.
• Run the API behind TLS (e.g., via a reverse proxy such as Nginx or Caddy).
• SetNEURALCACHE_API_TOKENS to enforce bearer-token authentication.

• Constrained version ranges (FastAPI, Starlette, Uvicorn) balance stability with timely securitypatch adoption. We widen ranges when upstream APIs stabilize and tests pass.
• Check thePython Packaging Advisory Database beforebroadening constraints.
• The CI workflow runspip-audit on every pullrequest and push tomain to detect vulnerable dependencies early.
• Use Dependabot updates to stay ahead of transitive dependency advisories.
• Builds harden bootstrap tooling by pinningpip away from known vulnerable releases (seeCHANGELOG for currently excluded versions) and upgradingsetuptools proactively.

• Runruff,mypy, andpytest locally before sending a pull request.
• Avoid storing secrets in the repository or sample configuration files.
• Keep container builds based on the published Dockerfile up to date with thelatest security patches from the base image.
• Avoid adding new runtime dependencies without evaluating: supply chain risk, maintenance cadence,license compatibility, and CVE history.

We prefer coordinated disclosure. After we release a fix, we'll work with youon appropriate public communication and attribution if desired. Thank you forhelping us keep NeuralCache safe for everyone.

For questions not involving sensitive security matters, open a standard GitHub issue.

There aren’t any published security advisories