We take the security of Rosetta Engine seriously. If you discover a security vulnerability, please do NOT open a public issue. Instead, report it privately.

To report a vulnerability:

1. Email the maintainers at security@rosetta-engine.dev
2. Include a clear description of the issue and steps to reproduce
3. If available, include a proof of concept or suggested fix

You should receive a response within 48 hours. If you don't, please follow up.

We appreciate your responsible disclosure and will acknowledge your contribution.

• Never commit API keys to version control. The .env file is in .gitignore and should never be tracked.
• Use the .env.example template to document required variables without exposing real values.
• Keys can be entered via the UI — they are stored only in the browser session (Streamlit) or in-memory (FastAPI request) and are never persisted to disk.
• Environment variables take precedence over UI-entered keys when the .env file is properly configured.

When deploying Rosetta Engine to production:

1. Use environment variables only — disable the UI API key field if not needed
2. Set secure headers in your reverse proxy:

   add_header X-Content-Type-Options "nosniff";
   add_header X-Frame-Options "DENY";
   add_header X-XSS-Protection "1; mode=block";
   add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://unpkg.com; style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'";

3. Use HTTPS in production (terminate TLS at your reverse proxy)
4. Restrict CORS — change allow_origins=["*"] to your specific domain in src/api/server.py
5. Run as non-root user — the Docker container runs as root by default; use USER in Dockerfile for production
6. Regular dependency updates — run pip-audit or dependabot to check for vulnerabilities

• Rosetta Engine sends disease names and gene symbols to external APIs (Open Targets, ChEMBL, etc.)
• No patient data is ever transmitted — this is a drug discovery tool, not a clinical system
• AI analysis via Zen API sends drug and target names only — no personally identifiable information

• All user inputs are validated:
  • Disease names: max 200 characters, alphanumeric + common punctuation
  • API keys: max 500 characters
  • All API responses are parsed safely with error handling on every external call

The following dependencies are used and should be kept updated:

1. CORS is wide-open (allow_origins=["*"]) — restrict in production
2. No authentication on the API — deploy behind a VPN or auth proxy for sensitive use
3. API keys in memory — the Zen API key exists in Python process memory during analysis; use ephemeral containers for maximum isolation
4. CDN-loaded scripts — Three.js and 3D Force Graph are loaded from unpkg CDN; for air-gapped deployments, vendor these files locally