GraphBit is committed to maintaining security standards for our agentic framework. This document outlines procedures for reporting and handling security vulnerabilities.

• API Keys: Use environment variables, never hardcode credentials
• Updates: Keep GraphBit updated to the latest version
• Environment: Use .env files for development, enterprise secret management for production

⚠️ Important: If you discover a security vulnerability in GraphBit, please do not create a public issue.

Option 1 - GitHub Security (Preferred):

1. Navigate to the GraphBit repository
2. Click the "Security" tab
3. Click "Report a vulnerability"
4. Fill out the private security advisory form

Option 2 - Email: info@graphbit.ai

• Description of the vulnerability
• Steps to reproduce
• Impact assessment
• Affected versions

• 24 hours: Initial acknowledgment
• 72 hours: Assessment and triage
• 7 days: Response plan
• 30 days: Patch development
• Coordinated disclosure: After patch release

✅ DO:

• Report responsibly via email
• Provide detailed reproduction steps
• Allow time for coordinated disclosure

❌ DON'T:

• Publicly disclose before patches
• Test on production systems
• Access user data during research

Contact: info@graphbit.ai
Last Updated: July 2025