Only the latest release receives security updates. We recommend always running the most recent version.

If you discover a security vulnerability in NLWeb Ask Agent, please report it responsibly:

1. Do not open a public GitHub issue for security vulnerabilities.
2. Email security@nlweb.ai with a description of the vulnerability, steps to reproduce, and any relevant logs or screenshots.
3. You can expect an initial acknowledgment within 48 hours and a follow-up with our assessment within 7 business days.

NLWeb Ask Agent is deployed on Azure (AKS, Cosmos DB, Azure AI Search, Key Vault) and relies on the following security measures:

• Authentication: Azure Managed Identity (workload identity) for all service-to-service communication. No shared secrets or connection strings in code.
• Secret management: All sensitive configuration stored in Azure Key Vault and injected via CSI driver.
• Network: API Gateway with TLS termination. Internal services communicate within the cluster network.
• SSRF protection: Schema map URL validation blocks requests to private/loopback/reserved IP ranges.
• Input sanitization: Error responses use generic messages to avoid leaking internal details.
• Static file serving: Allowlist-based serving to prevent path traversal.
• Dependencies: Dependabot enabled for automated vulnerability scanning of Python and JavaScript dependencies.
• Static analysis: CodeQL enabled for automated security scanning on pull requests.