VendorAuditAI is committed to maintaining security for the following versions:
| Version | Supported | End of Support |
|---|---|---|
| 1.x.x | Yes | Active |
| < 1.0 | No | Deprecated |
We take security seriously at VendorAuditAI. If you discover a security vulnerability, please report it responsibly.
DO NOT open a public GitHub issue. Instead:
- Email: security@vendorauditai.com
- Subject:
[SECURITY] Brief description - Include:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any proof-of-concept code (if applicable)
- Suggested remediation (if any)
For low-severity concerns, security best practices, or hardening suggestions, you may use our Security Issue Template.
| Phase | Timeline |
|---|---|
| Initial Acknowledgment | Within 48 hours |
| Preliminary Assessment | Within 5 business days |
| Status Update | Within 7 days |
| Critical Fix | Within 30 days |
| Non-Critical Fix | Within 90 days |
VendorAuditAI implements enterprise-grade security controls:
- JWT-based authentication with secure token handling
- SAML 2.0 SSO integration for enterprise identity providers
- Multi-Factor Authentication (MFA/TOTP) support
- Role-Based Access Control (RBAC)
- Session management with secure cookie attributes
- Rate limiting on all API endpoints
- Request validation using Pydantic schemas
- CORS configuration with explicit origin allowlists
- API versioning for backwards compatibility
- TLS 1.3 encryption for data in transit
- AES-256 encryption for sensitive data at rest
- Parameterized queries to prevent SQL injection
- Input sanitization and output encoding for XSS prevention
- Secure file upload validation
- Isolated container deployments
- Environment-based configuration management
- Secrets management (no hardcoded credentials)
- Comprehensive audit logging
- SOC 2 aligned security practices
- OWASP Top 10 vulnerability prevention
- Regular dependency updates and security patches
- API Keys: Never commit API keys to version control
- Environment Variables: Use
.envfiles (gitignored) for sensitive configuration - Access Control: Follow principle of least privilege
- Updates: Keep your deployment updated to the latest version
- Monitoring: Enable audit logging and monitor for anomalies
We do not currently operate a formal bug bounty program. However, we are grateful for responsible disclosure and will:
- Acknowledge security researchers who report valid vulnerabilities
- Provide recognition in our security acknowledgments (with permission)
- Work collaboratively on coordinated disclosure timelines
- Primary: security@vendorauditai.com
- GitHub Security Advisories: Enable for this repository
We thank the security research community for helping keep VendorAuditAI secure. Researchers who have contributed to our security will be acknowledged here (with their permission).
Last Updated: January 2026