We take security seriously and provide security updates for the following versions:

We appreciate responsible disclosure of security vulnerabilities. If you discover a security issue, please follow these steps:

Please do not report security vulnerabilities through public GitHub issues. Public disclosure before a fix is available can put users at risk.

Send an email to our security team at: security@altairalabs.ai

Include the following information in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact and attack scenarios
• Any suggested fixes or mitigations
• Your contact information for follow-up

For highly sensitive reports, you may encrypt your email using our PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
[PGP key will be provided upon request]
-----END PGP PUBLIC KEY BLOCK-----

We are committed to responding to security reports promptly:

• Initial Response: Within 48 hours of receiving your report
• Triage: Within 5 business days we will provide an initial assessment
• Updates: Regular updates on our progress every 5-10 business days
• Resolution: Timeline depends on severity and complexity, typically within 30-90 days

PromptKit implements several security measures to protect users:

• Static Analysis: Automated security scanning with gosec on all code changes
• Dependency Scanning: Automated vulnerability scanning with Dependabot for Go modules, npm packages, Docker images, and GitHub Actions
• Code Quality: Comprehensive linting with golangci-lint and SonarQube integration
• Code Review: All changes require review before merging
• Signed Releases: All releases are signed and checksummed

• Input Validation: Strict validation of all user inputs
• Secure Defaults: Safe configuration defaults
• Principle of Least Privilege: Minimal required permissions
• Audit Logging: Security-relevant events are logged

• Secure Development: Development follows secure coding practices with pre-commit security checks
• CI/CD Security: Build pipelines use secure practices and isolated environments
• Access Controls: Multi-factor authentication and role-based access controls
• Automated Updates: Dependabot automatically creates PRs for dependency updates weekly
• Regular Reviews: Security updates are prioritized and reviewed promptly

When using PromptKit, consider the following security best practices:

• Never commit API keys to version control
• Use environment variables or secure credential stores
• Rotate keys regularly
• Use least-privilege API keys when possible

• Sensitive Data: Be cautious when processing sensitive information with LLMs
• Data Residency: Understand where your data is processed and stored
• Logging: Be aware of what data might be logged during processing
• Provider Security: Review the security practices of your LLM providers

• Validate Configurations: Ensure configurations are from trusted sources
• Network Security: Use secure connections (HTTPS/TLS) for all communications
• Access Controls: Implement appropriate access controls for PromptKit deployments
• Updates: Keep PromptKit updated to the latest version

When using PromptKit Arena:

• Test Data: Use non-sensitive data in test scenarios
• Isolation: Run tests in isolated environments
• Provider Limits: Be aware of rate limits and costs when testing
• Tool Execution: Understand the security implications of tools used in tests

• We will work with security researchers to understand and fix reported vulnerabilities
• We will provide credit to researchers who report vulnerabilities responsibly
• We will not take legal action against researchers who follow this policy

To be eligible for recognition:

• Follow responsible disclosure practices
• Do not access data that isn't your own
• Do not perform actions that could harm the service or other users
• Do not use social engineering against our employees or contractors
• Provide sufficient detail to reproduce the vulnerability

Once a vulnerability is fixed:

1. We will publish a security advisory with details about the issue
2. We will credit the researcher(s) who reported the vulnerability (unless they prefer anonymity)
3. We may coordinate with the researcher on the timing of public disclosure

• Security Advisories: GitHub Security Advisories
• Security Contact: security@altairalabs.ai
• General Contact: conduct@altairalabs.ai

PromptKit aims to follow industry security standards and best practices:

• OWASP Guidelines: Following OWASP secure coding practices
• Supply Chain Security: Using SLSA framework principles
• OpenSSF: Following Open Source Security Foundation guidelines
• CVE Process: Participating in CVE assignment for disclosed vulnerabilities

Security updates are distributed through:

• GitHub Releases: Tagged releases with security fixes
• Security Advisories: GitHub security advisories for critical issues
• Documentation: Updated security documentation and guidelines
• Community Channels: Announcements in community forums and discussions

PromptKit uses the following automated security tools:

• gosec: Go security scanner that inspects source code for security problems

  • Runs locally via make security-scan or make security-scan-diff
  • Integrated into pre-commit hooks for changed code
  • Checks for common security issues like SQL injection, command injection, weak crypto, etc.

• Dependabot: Automated dependency updates and vulnerability scanning

  • Monitors all Go modules, npm packages, Docker images, and GitHub Actions
  • Creates pull requests for security updates and version bumps
  • Runs weekly on Mondays at 09:00 UTC

• golangci-lint: Comprehensive Go linter including staticcheck

  • Includes gosec as one of its enabled linters
  • Runs on all PRs and pre-commit hooks

• SonarQube: Code quality and security analysis

  • Integrated with CI/CD pipeline
  • Provides detailed security vulnerability reports

Last Updated: December 5, 2025
Next Review: March 5, 20265
Next Review: February 1, 2026

For questions about this security policy, contact: security@altairalabs.ai