Please do NOT open public GitHub issues for security vulnerabilities.

If you discover a security vulnerability in this project, please report it responsibly:

1. Email: security@allyshipglobal.com
2. Subject: [SECURITY] AllysecLabs AI-SOC — <brief description>
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 5 business days
• Fix Target: Critical issues within 14 days; others within 30 days

This policy covers:

• The AI-SOC codebase and its modules
• API endpoints exposed by the platform
• LLM prompt injection or manipulation vectors
• Authentication and authorization flaws
• Data exfiltration or information disclosure

• Vulnerabilities in upstream dependencies (report to the respective project)
• Wazuh core vulnerabilities (report to Wazuh)
• Social engineering attacks

1. Never commit .env files — they contain API keys and passwords
2. Use HTTPS for all API and dashboard access
3. Restrict network access — bind services to localhost or use a reverse proxy
4. Keep dependencies updated — run pip audit regularly
5. Review LLM outputs — AI-generated analysis should be verified by human analysts
6. Enable audit logging — the action_audit.jsonl tracks all automated actions

We appreciate responsible disclosure and will acknowledge reporters (with permission) in our changelog.