Sarvwigyan is an open knowledge ecosystem aiming to serve humanity through science, technology, philosophy, and truth. As such, the security, integrity, and safety of the platform and its users are of paramount importance.
This document outlines how you can report vulnerabilities, what kinds of threats we monitor, and how we responsibly handle and disclose security issues.
| Version | Supported | Security Updates |
|---|---|---|
main branch |
β Yes | β Yes |
| Archived/Old branches | β No | β No |
We only support the latest version of Sarvwigyan and actively maintain the main branch. Please ensure you're working on up-to-date code when reporting vulnerabilities.
If you believe youβve found a security vulnerability in Sarvwigyan, its website, services, code, or data:
- π¨ DO NOT publicly disclose the issue.
- π§ Privately email us at:
[email protected] - π Please include:
- A detailed description of the vulnerability
- Steps to reproduce
- The scope and potential impact
- Any logs, screenshots, or proof-of-concept code (if applicable)
We appreciate responsible disclosures and aim to respond within 48 hours.
We are especially concerned about issues that may affect:
- Unauthorized access to user-submitted content
- Exposure of personal or sensitive data
- Insecure storage of files or text
- Indexing of private files
- Bypass of login systems (if implemented in the future)
- Broken access controls
- Session hijacking or insecure cookies
- Code injection (XSS, SQLi, Shell Injection)
- Remote Code Execution (RCE)
- Insecure deserialization
- Use of deprecated libraries with known CVEs
- Logic flaws in backend code or business rules
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Clickjacking
- Insecure CORS headers or policies
- Prompt injections
- Model poisoning or jailbreaks
- Leakage of training data or embeddings
- Malicious or compromised dependencies
- Typosquatting in package managers
- Insecure GitHub Actions or CI/CD workflows
- Exposure of GitHub Secrets/API Keys
- Public access to internal configurations
- Denial-of-Service vulnerabilities
While we appreciate curiosity and creativity, the following are not considered security issues unless they demonstrate a realistic attack vector:
- Missing
security.txt - Lack of CAPTCHA
- Rate limiting or brute-force attempts without real impact
- Use of outdated libraries without exploitable CVEs
- Email spoofing without a working exploit
- UI/UX bugs or typos
We value researchers who help secure our systems. If you report a valid and impactful vulnerability, we will:
- Publicly acknowledge your contribution (if you wish)
- Offer a badge or certificate of ethical contribution
- Consider small monetary rewards or feature shout-outs in our project
We follow the RFPolicy standard for disclosure timelines.
We follow strict internal security protocols including:
- π HTTPS/TLS encryption everywhere
- π§ͺ Code linting and static analysis for every PR
- π Secrets scanning using GitHub Security
- π₯ Role-based access control for all collaborators
- π Regular dependency audits (
npm audit,pip-audit,Dependabot) - 𧬠Planning ML model security for future features
- π§ Transparent and traceable commit logs
- Dependabot for dependency alerts
- CodeQL for code scanning
- Bandit for Python security issues
- OWASP ZAP for manual web app scanning
- Custom Bash/Python Scripts for scanning content and logs
If the vulnerability exists in a third-party library used in Sarvwigyan:
- First report it to the upstream maintainer (e.g., library repo).
- Then notify us if it affects Sarvwigyanβs functionality or user safety.
All security research on Sarvwigyan must follow:
- GitHub's Acceptable Use Policies
- Indian IT Act
- Your local cybercrime laws
Do not perform destructive testing, DoS attacks, or data scraping on live users.
Security is a community effort, and we deeply appreciate your help in making Sarvwigyan a secure, ethical, and open platform for knowledge and evolution.
Let us work together to build a platform that future generations can trust.
β Sarvwigyan Core Team