first commit

This commit is contained in:
Beyhan Oğur
2026-04-26 21:52:23 +03:00
commit 880f412e2c
2662 changed files with 866266 additions and 0 deletions

93
SECURITY.md Normal file
View File

@@ -0,0 +1,93 @@
# Security Policy
## Reporting a Vulnerability
The Bifrost team takes security issues seriously. We appreciate your efforts to responsibly
disclose any vulnerabilities you find.
**Please do NOT report security vulnerabilities through public GitHub issues.**
Instead, please report them via one of the following methods:
1. **GitHub Security Advisories (preferred)**: Use [GitHub's private vulnerability
reporting](https://github.com/maximhq/bifrost/security/advisories/new) to submit a report
directly through the repository.
2. **Email**: Send an email to **akshay@getmaxim.ai** with the details of the
vulnerability.
### What to include
To help us triage and respond quickly, please include:
- A description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Affected version(s) and component(s) (e.g., `core`, `transports`, `plugins/*`)
- Any relevant configuration or environment details
- Proof-of-concept code, if available
### What to expect
- **Acknowledgment**: We will acknowledge receipt of your report within **48 hours**.
- **Updates**: We will provide status updates as we investigate, typically within **5
business days**.
- **Resolution**: Once a fix is available, we will coordinate with you on disclosure
timing.
- **Credit**: We are happy to credit reporters in our release notes and security advisories
(unless you prefer to remain anonymous).
## Supported Versions
Security updates are provided for the following versions:
| Module | Version | Supported |
| ------------ | ------- | ------------------ |
| transports | 1.4.x | :white_check_mark: |
| core | 1.4.x | :white_check_mark: |
| framework | 1.2.x | :white_check_mark: |
| plugins/* | current minor version tracks | :white_check_mark: |
Only the latest minor release of each supported major version receives security patches. We
recommend always running the latest version.
## Security Considerations
Bifrost is an AI gateway that routes requests to multiple LLM providers. When deploying
Bifrost, keep the following in mind:
- **API Key Management**: Bifrost handles provider API keys. Ensure keys are stored
securely and never committed to version control. Use environment variables or a secrets
manager.
- **Network Exposure**: Restrict access to the Bifrost admin interface and API endpoints
using firewalls, VPNs, or authentication layers appropriate for your environment.
- **TLS**: Always use TLS when exposing Bifrost to external networks.
- **Access Profiles**: Use Bifrost's access profile and virtual key features to enforce
least-privilege access to upstream providers.
- **Plugin Security**: Only use plugins from trusted sources. Plugins execute within the
request pipeline and have access to request/response data.
## Disclosure Policy
We follow a coordinated disclosure process:
1. The reporter submits the vulnerability privately.
2. We confirm the issue and develop a fix.
3. We release the fix and publish a security advisory.
4. The vulnerability details are made public after users have had reasonable time to update
(typically 30 days after the fix is released).
We kindly ask that you do not publicly disclose the vulnerability until we have had a
chance to address it.
## Scope
The following are **in scope** for security reports:
- The Bifrost gateway (core, transports, framework, CLI)
- Official Bifrost plugins (`plugins/` directory)
- The Bifrost Docker image (`maximhq/bifrost`)
- The Bifrost web UI
The following are **out of scope**:
- Social engineering attacks
- Denial of service attacks that rely purely on volumetric traffic