We release patches for security vulnerabilities. Currently supported versions:

The Arbitrium Framework team takes security seriously. We appreciate your efforts to responsibly disclose your findings.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, use GitHub's Private Vulnerability Reporting (recommended):

1. Go to the Security tab
2. Click "Report a vulnerability"
3. Fill out the form with details

This is the fastest and most secure way to reach the maintainers.

Please include the following information in your report:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• Acknowledgment: We'll acknowledge receipt of your vulnerability report within 48 hours
• Communication: We'll keep you informed about our progress toward a fix
• Credit: We'll publicly credit you for the discovery (unless you prefer to remain anonymous)
• Timeline: We aim to issue a fix within 90 days of report

We ask that you:

• Give us reasonable time to fix the vulnerability before any public disclosure
• Make a good faith effort to avoid privacy violations, data destruction, or service interruption
• Do not exploit the vulnerability beyond the proof of concept

We currently do not offer a paid bug bounty program. However, we deeply appreciate security reports and will:

• Publicly credit your contribution
• Fast-track your pull requests
• Provide swag/merch when available

NEVER commit API keys to version control. Arbitrium Framework supports multiple secure methods for managing secrets:

1. Environment variables (recommended):

   export OPENAI_API_KEY="sk-..."  # pragma: allowlist secret
   export ANTHROPIC_API_KEY="sk-ant-..."  # pragma: allowlist secret

2. Custom config.yml (never commit!):

   # config.yml (add to .gitignore)
   # Override api_providers.yml defaults
   secrets:
     providers:
       openai: "sk-..."
       anthropic: "sk-ant-..."

3. 1Password integration (enterprise):

   secrets:
     source: "1password"
     vault: "Arbitrium Framework"

When using external LLM providers:

• Data Privacy: Your prompts and responses are sent to third-party APIs
• Data Retention: Check each provider's data retention policy
• Compliance: Ensure provider meets your regulatory requirements (GDPR, HIPAA, etc.)
• Rate Limiting: Implement rate limits to prevent abuse

In production environments:

# config.yml
features:
  save_reports_to_disk: false  # Avoid writing sensitive data to disk
  llm_compression: true         # Reduce data sent to providers

retry:
  max_attempts: 3               # Limit retry abuse

Arbitrium Framework uses pip-audit and safety in CI/CD to scan for known vulnerabilities. To check your installation:

pip install pip-audit
pip-audit --desc

# Or use safety
pip install safety
safety check

If running in a restricted environment:

• Proxy Support: Set HTTP_PROXY and HTTPS_PROXY environment variables
• Firewall Rules: Allow outbound HTTPS to provider APIs
• TLS/SSL: All API calls use TLS 1.2+ by default

Arbitrium Framework is not designed for:

• ❌ Adversarial Use: Do not use for generating malware, phishing, or other malicious content
• ❌ High-Security Data: Not suitable for classified or highly sensitive information without additional controls
• ❌ Real-Time Safety-Critical Systems: No SLA guarantees, not designed for life-safety applications
• ❌ Compliance-Heavy Environments: No built-in HIPAA/SOC2 compliance features (consider "Arbitrium Enterprise" roadmap)

Arbitrium Framework is designed for:

• ✅ Strategic Decision-Making: Business strategy, technical architecture, research planning
• ✅ Synthesis: Combining perspectives from multiple models
• ✅ Auditable Decisions: Full provenance tracking and cost accounting
• ✅ Research: Academic experiments, benchmarking, model evaluation

Security updates are released as patch versions (0.0.x). Subscribe to:

• GitHub Watch: Click "Watch" → "Releases only" on our repo
• Security Advisories: GitHub Security Advisories

For security-related questions (not vulnerabilities), please:

• Open a GitHub Discussion (preferred)
• Or file a regular GitHub Issue with the security-question label

For general questions, use GitHub Discussions.

Last Updated: October 2025