If you discover a security vulnerability in SOMA, please do not file a public issue.
Email the report to the repository maintainer. Include:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
We will respond within 7 days with an acknowledgment and a timeline for a fix.
| Area | In Scope |
|---|---|
| API key leakage via logs/memory | Yes |
| LLM prompt injection in user input | Yes |
| Unsafe file access in dashboard | Yes |
| Dependency supply chain | Yes |
| Version | Supported |
|---|---|
| 1.0.0 | Yes (latest) |
| 0.9.x | Yes |
| 0.8.x | Security fixes only |
| < 0.8.0 | No |
- Always set
SOMA_API_KEYenvironment variable when exposing the dashboard to networks - Never commit
dash/llm_config.json— it is gitignored by default - Review LLM provider API keys before deploying to shared environments