TENET AI is a security tool, so we take security issues very seriously. We appreciate your efforts to responsibly disclose your findings.

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, report them via:

1. Private Security Advisory: Use GitHub's private security advisory feature

Please include as much information as possible:

• Type of vulnerability (e.g., injection, authentication bypass, DoS)
• Affected component(s) (e.g., ingest service, analyzer, dashboard)
• Specific version (if applicable)
• Step-by-step reproduction instructions
• Proof of concept or exploit code (if available)
• Impact assessment (what an attacker could achieve)
• Suggested remediation (if you have ideas)
• Your contact information (for follow-up)

1. Acknowledgment: Within 48 hours of your report
2. Initial Assessment: Within 5 business days
3. Regular Updates: Every 7 days on progress
4. Resolution Timeline:
   • Critical issues: 7-14 days
   • High severity: 30 days
   • Medium/Low: 60-90 days
5. Coordinated Disclosure: After fix is deployed and users notified

We kindly ask that you:

• ✅ Allow reasonable time for us to fix the issue before public disclosure
• ✅ Make a good faith effort to avoid privacy violations and data destruction
• ✅ Avoid exploiting the vulnerability beyond what's necessary for demonstration
• ✅ Keep vulnerability information confidential until we issue a fix
• ✅ Contact us immediately if you discover any data breach

We commit to:

• ✅ Acknowledge your report promptly
• ✅ Provide regular updates on progress
• ✅ Credit you publicly (if you wish) when we disclose the vulnerability
• ✅ Not take legal action against security researchers who follow this policy
• ✅ Work with you to understand and fix the issue

While we don't currently have a formal bug bounty program, we:

• Publicly acknowledge contributors (with permission)
• Provide detailed thank you in security advisories
• List you in our Hall of Fame (if desired)
• May offer swag or recognition (case by case)

When deploying TENET AI:

# ALWAYS use strong API keys
API_KEY = generate_secure_random_key(32)  # 32+ characters

# Rotate keys regularly
# Every 90 days minimum

# Use different keys for dev/staging/prod

Best practices:

• Generate cryptographically secure random keys
• Store in environment variables, never in code
• Use secret management (AWS Secrets Manager, HashiCorp Vault)
• Implement key rotation
• Monitor for key usage anomalies

# Deploy behind firewall
# Use TLS 1.3 for all communications
# Implement rate limiting
# Use network policies in Kubernetes

Best practices:

• Never expose services directly to internet
• Use API gateway or load balancer
• Implement IP whitelisting if possible
• Enable DDoS protection
• Use VPC/private subnets

# Encrypt data at rest
ENCRYPTION = "AES-256"

# Encrypt data in transit
TLS_VERSION = "1.3"

# Minimize PII collection
# Implement data retention policies

Best practices:

• Encrypt sensitive data in Redis/PostgreSQL
• Use TLS for all connections
• Implement data retention (90 days default)
• Redact PII before logging
• Regular backups with encryption

# Enable audit logs
# Monitor for suspicious activity
# Set up alerts for security events
# Regular security log reviews

Best practices:

• Log all authentication attempts
• Monitor for unusual patterns
• Alert on multiple failed attempts
• Review logs weekly minimum
• Use SIEM for centralized logging

# Keep TENET AI updated
git pull origin main
pip install -r requirements.txt --upgrade

# Subscribe to security advisories
# Test updates in staging first
# Have rollback plan ready

Best practices:

• Update within 7 days of security releases
• Test in non-prod environment first
• Monitor after updates
• Keep dependencies updated
• Use Dependabot for alerts

1. API Key Authentication

   • Required for all endpoints
   • Validated on every request
   • Failed attempts logged

2. Input Validation

   • Pydantic models enforce schemas
   • Size limits on prompts (100KB)
   • Type checking on all inputs

3. Rate Limiting

   • 1000 requests/minute per key
   • Prevents DoS attacks
   • Configurable per deployment

4. Data Sanitization

   • Input cleaning
   • Output encoding
   • SQL injection prevention (ORM)

5. Audit Logging

   • All requests logged
   • Threat events tracked
   • Timestamp and source recorded

• OAuth2/OIDC authentication
• RBAC (Role-Based Access Control)
• Multi-factor authentication
• End-to-end encryption
• Anomaly detection for API usage
• Automated threat response
• Integration with SIEM systems

⚠️ TENET AI is currently in MVP stage. Known limitations:

1. Authentication: Basic API key only

   • Risk: Key compromise = full access
   • Mitigation: Rotate keys, monitor usage
   • Roadmap: OAuth2 in v0.3

2. Multi-tenancy: Not yet implemented

   • Risk: All data shared in single deployment
   • Mitigation: Deploy separate instances per tenant
   • Roadmap: Multi-tenant in v0.4

3. Encryption: Not enforced by default

   • Risk: Data in transit/rest not encrypted
   • Mitigation: Use TLS, configure Redis/Postgres encryption
   • Roadmap: Enforced encryption in v0.3

4. Rate Limiting: Simple implementation

   • Risk: Sophisticated DoS might bypass
   • Mitigation: Deploy behind API gateway
   • Roadmap: Distributed rate limiting in v0.3

5. Audit Logs: Basic logging only

   • Risk: Limited forensic capabilities
   • Mitigation: Export logs to SIEM
   • Roadmap: Comprehensive audit trail in v0.4

Before deploying to production:

• Change all default credentials
• Generate strong API keys (32+ characters)
• Configure TLS/SSL certificates
• Enable rate limiting
• Set up authentication
• Configure audit logging
• Enable data encryption at rest
• Implement backup strategy
• Document incident response plan
• Configure security monitoring
• Set up alerting
• Review and harden network config
• Perform security testing
• Train team on security procedures

• OWASP Top 10
• CWE Top 25
• NIST Cybersecurity Framework

• OWASP LLM Top 10
• AI Security Papers
• Prompt Injection Resources

• Python Security Best Practices
• Bandit Documentation
• OWASP Python Security

• Security Team: saviodsouza8a@gmail.com
• PGP Key: [Available on request]
• Security Advisory Page: https://github.com/yourusername/tenet-ai/security/advisories

We appreciate the security research community's efforts in keeping TENET AI secure.

Last Updated: January 2026
Policy Version: 1.0