Do NOT open public GitHub issues for security vulnerabilities.

If you discover a security vulnerability, please email security@elixpo.ai with:

• Description of the vulnerability
• Steps to reproduce (if applicable)
• Potential impact
• Suggested fix (if you have one)

Please include:

• Your name and contact information
• Affected versions
• Environment details
• Proof of concept or detailed reproduction steps

We will acknowledge receipt within 24 hours and aim to provide updates every 48 hours.

Published security advisories are available in the GitHub Security Advisories section.

We recommend always running the latest version for security patches.

• Chroma server runs in HTTP mode (not HTTPS in standard deployment)
• For production, use reverse proxy (nginx, Cloudflare) with TLS
• Database files should be in a secure directory with restricted permissions

Recommendation:

# Secure permissions for embeddings directory
chmod 700 /path/to/data/embeddings/

• Load balancer and workers communicate over internal Docker network
• external traffic only through load balancer port 8000
• Rate limiting should be implemented at reverse proxy

Recommended reverse proxy setup:

# nginx example
server {
    listen 443 ssl http2;
    server_name lixsearch.example.com;
    
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    
    # Rate limiting
    limit_req_zone $binary_remote_addr zone=api:10m rate=100r/m;
    
    location /api {
        limit_req zone=api burst=10;
        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

• IPC service on port 5010 is internal only
• Accessible only from workers on same Docker network
• Authkey: b"ipcService" - Change in production

To change IPC key:

# In config.py
IPC_AUTHKEY = b"your-secure-authkey-here"

• All user inputs are validated at API boundary
• Query strings sanitized before vector DB operations
• Web scraping using Playwright with headless mode
• APIKey/auth tokens should be managed separately (not in this repo)

Review dependencies regularly:

# Check for vulnerabilities
pip-audit

# Update dependencies
pip install --upgrade -r requirements.txt

Always use a reverse proxy with TLS for production:

# Example with Let's Encrypt + nginx
certbot certonly --nginx -d lixsearch.example.com

• Never commit API keys, secrets, or credentials
• Use environment variables or secure vaults (AWS Secrets Manager, HashiCorp Vault)
• Rotate credentials regularly

Example .env (never commit):

LLM_API_KEY=sk-...
VECTOR_DB_PASSWORD=...

• Restrict access to ports (load balancer only on 8000)
• Use firewall rules to limit traffic sources
• Consider VPN/bastion host for admin access

Set Docker resource limits:

# docker-compose.yml
services:
  elixpo-search-worker-1:
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 1G
        reservations:
          cpus: '1'
          memory: 512M

• Monitor logs for suspicious activity
• Set up alerts for high error rates
• Implement access logging

# In config.py
ENABLE_REQUEST_TRACING = True
ENABLE_PERFORMANCE_METRICS = True

Keep all components updated:

# Update Docker base image
docker pull python:3.12-slim-bullseye

# Update dependencies
pip install --upgrade -r requirements.txt

# Update ChromaDB
docker pull chromadb/chroma:latest

• TLS/HTTPS enabled via reverse proxy
• Firewall rules configured
• Rate limiting enabled
• API credentials managed securely (not in code)
• Database permissions restricted (chmod 700)
• Regular backups configured
• Monitoring and logging enabled
• IPC authkey changed from default
• Docker resource limits set
• Regular security updates scheduled
• Access logs monitored
• Disaster recovery plan documented
• Security audit performed

1. Day 0: Security report received and acknowledged
2. Day 1-2: Investigation and verification
3. Day 3-5: Fix development begins
4. Day 7-14: Fix completed and tested
5. Day 14-21: Patch released with advisory
6. Day 21+: Advisory published publicly

Security vulnerabilities in lixSearch include:

✅ Included:

• Authentication bypasses
• Unauthorized data access
• Code execution flaws
• Cryptographic weaknesses
• Injection vulnerabilities
• Resource exhaustion

❌ Not included:

• Social engineering attacks
• Third-party library vulnerabilities (report to library maintainers)
• Configuration mistakes by users
• Infrastructure provider issues
• Physical security issues

We use the following key dependencies (review their security policies):

• ChromaDB: https://github.com/chroma-core/chroma
• Sentence Transformers: https://github.com/UKPLab/sentence-transformers
• Quart: https://github.com/pallets/quart
• Playwright: https://github.com/microsoft/playwright-python

Review their security advisories regularly.

• OWASP Top 10
• CWE: Common Weakness Enumeration
• NIST Cybersecurity Framework
• Python Security Best Practices

• 📧 Security issue: security@elixpo.ai
• 🐛 General issues: support@elixpo.ai
• 💬 Discussions: GitHub Discussions

No known security vulnerabilities at this time.

Last security audit: February 25, 2026

Thank you for helping keep lixSearch secure! 🔒