AIHEM is designed to be vulnerable for educational purposes. The vulnerabilities in this platform are intentional and are meant to teach AI security concepts.
We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
If you discover a real security vulnerability in the AIHEM platform itself (not an intentional vulnerability), please report it responsibly:
- Do NOT open a public issue
- Email security concerns to: [INSERT SECURITY EMAIL]
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution: Depends on severity and complexity
Report these:
- Real vulnerabilities in deployment scripts
- Accidental exposure of real credentials
- Issues with the development environment
- Problems with documentation that could lead to real security issues
Do NOT report these (they're intentional):
- Weak password hashing (MD5) - This is intentional
- SQL injection vulnerabilities - These are intentional
- JWT vulnerabilities - These are intentional
- Prompt injection vulnerabilities - These are intentional
- Any vulnerabilities documented in VULNERABILITY_ARCHITECTURE.md
We follow responsible disclosure practices:
- Private Report: Report privately first
- Investigation: We'll investigate and confirm
- Fix Development: We'll develop a fix
- Coordination: We'll coordinate disclosure timing
- Public Disclosure: After fix is available
- Never deploy to production - This platform is intentionally vulnerable
- Never expose to the public internet - Use only in isolated environments
- Never use with real data - Use only test/dummy data
- Never use real API keys - Use test keys or environment variables
- Isolate the environment - Run in a VM, container, or isolated network
- Run in isolated Docker networks
- Use firewall rules to restrict access
- Don't expose ports to the internet
- Use environment variables for secrets
- Regularly update dependencies
- Monitor for unexpected behavior
This platform intentionally includes vulnerabilities for educational purposes. See VULNERABILITY_ARCHITECTURE.md for a complete list.
- OWASP LLM Top 10 - All categories are intentionally vulnerable
- Authentication Issues - Weak hashing, JWT flaws, etc.
- Authorization Issues - Missing access controls
- Input Validation - SQL injection, XSS, etc.
- Information Disclosure - Secrets in logs, prompts, etc.
- Supply Chain - Vulnerable dependencies
We will notify users about:
- Updates to fix real security issues
- Dependency updates with security patches
- Changes to deployment configurations
- Important security-related documentation updates
We encourage security research on this platform! However:
- Stay within scope - Only test the AIHEM platform itself
- Don't attack infrastructure - Don't attack hosting, CI/CD, etc.
- Respect privacy - Don't access other users' data
- Follow responsible disclosure - Report real issues privately
We appreciate security researchers who help improve the platform. Contributors will be:
- Acknowledged in security advisories (if desired)
- Listed in SECURITY.md (if desired)
- Credited in release notes
For security-related questions:
- Open a discussion (for general questions)
- Email security team (for sensitive issues)
- Check documentation first
Remember: This platform is for educational purposes only. Use responsibly and ethically.