We release security updates for the following versions of NeuroLink:
| Version | Supported | Status |
|---|---|---|
| 8.x | ✅ | Active development |
| 7.x | Security fixes only | |
| < 7.0 | ❌ | No longer supported |
If you discover a security vulnerability in NeuroLink, please report it responsibly. We take all security reports seriously and will respond promptly.
Email: security@juspay.in
Please include the following information in your report:
-
Description of the vulnerability
- Type of issue (e.g., authentication bypass, injection, etc.)
- Location of the affected code (file path, line number if possible)
-
Steps to reproduce
- Detailed steps to demonstrate the vulnerability
- Proof of concept code (if applicable)
-
Potential impact
- What can an attacker do with this vulnerability?
- What data or systems are at risk?
-
Suggested fix (optional)
- If you have ideas on how to fix the vulnerability
We are committed to responding to security reports in a timely manner:
- Initial acknowledgment: Within 24 hours
- Initial assessment: Within 72 hours
- Fix timeline: Based on severity (see below)
- Public disclosure: After fix is released and users have had time to update
| Severity | Description | Fix Timeline |
|---|---|---|
| Critical | Affects all users, active exploitation | 1-7 days |
| High | Affects most users, easy to exploit | 7-14 days |
| Medium | Limited impact or difficult to exploit | 14-30 days |
| Low | Minimal impact | Next release cycle |
When using NeuroLink in production, follow these security best practices:
- Never commit API keys to version control
- Use environment variables for all sensitive credentials
- Rotate API keys regularly
- Use separate keys for development and production
- Consider using a secrets management service (AWS Secrets Manager, HashiCorp Vault, etc.)
NeuroLink includes a production-ready HITL system for high-stakes operations:
import { NeuroLink } from "@juspay/neurolink";
const neurolink = new NeuroLink({
hitl: {
enabled: true,
dangerousActions: [
"write",
"execute",
"send",
"delete",
"database",
"drop",
"truncate",
],
timeout: 60000, // 60 seconds for user response
autoApproveOnTimeout: false, // Reject on timeout for safety
allowArgumentModification: true, // Allow users to modify tool arguments
auditLogging: true, // Enable audit logs for compliance
},
});
// Listen for confirmation requests using events
const emitter = neurolink.getEventEmitter();
emitter.on("hitl:confirmation-request", async (event) => {
const { confirmationId, toolName, arguments: args } = event.payload;
// Integrate with your approval system
const approved = await yourApprovalSystem.requestReview({
tool: toolName,
arguments: args,
});
// Respond with confirmation
emitter.emit("hitl:confirmation-response", {
type: "hitl:confirmation-response",
payload: {
confirmationId,
approved,
reason: approved ? undefined : "Denied by security policy",
metadata: { timestamp: new Date().toISOString() },
},
});
});Use HITL for:
- Financial transactions
- Data modifications
- Code execution
- Email/notification sending
- Database operations in production
If using Redis for conversation memory:
- Enable authentication: Always set a strong Redis password
- Use TLS: Enable TLS/SSL for production Redis connections
- Network isolation: Keep Redis on a private network
- Regular updates: Keep Redis version up to date
const neurolink = new NeuroLink({
conversationMemory: {
enabled: true,
store: "redis",
redis: {
host: "redis.example.com",
port: 6379,
password: process.env.REDIS_PASSWORD,
tls: true, // Always enable for production
},
},
});When implementing custom middleware:
- Validate all inputs: Never trust user input
- Sanitize outputs: Clean data before logging or displaying
- Rate limiting: Implement rate limits to prevent abuse
- Error handling: Don't leak sensitive information in error messages
- Use least privilege: Grant minimum necessary permissions to provider API keys
- Monitor usage: Track API usage for anomalies
- Budget limits: Set spending limits on provider accounts
- Audit logs: Enable audit logging for all provider interactions
NeuroLink includes enterprise-grade security features:
Full audit logging for compliance (HIPAA, SOC2, GDPR):
const neurolink = new NeuroLink({
enableAnalytics: true, // Captures full request/response data
hitl: {
enabled: true,
auditLogging: true, // Logs all approval decisions
},
});Built-in content filtering and safety using the MiddlewareFactory:
import { MiddlewareFactory } from "@juspay/neurolink";
// Create middleware factory with guardrails configuration
const factory = new MiddlewareFactory({
enabledMiddleware: ["guardrails"],
middlewareConfig: {
guardrails: {
enabled: true,
config: {
badWords: {
enabled: true,
list: ["harmful", "dangerous", "unsafe"],
},
modelFilter: {
enabled: true,
filterModel: "gpt-3.5-turbo", // Use a fast model for content filtering
},
precallEvaluation: {
enabled: true,
provider: "openai",
evaluationModel: "gpt-4",
thresholds: {
safetyScore: 7,
appropriatenessScore: 6,
},
},
},
},
},
});
// Use in your NeuroLink instance
const result = await neurolink.generate({
input: { text: "Your prompt" },
middleware: factory,
});We maintain a list of all security advisories:
No security advisories have been published as of this document's creation.
Subscribe to security updates:
- Watch the NeuroLink repository for security announcements
- Follow @juspay on Twitter
- Subscribe to release notifications
At this time, we do not have a formal bug bounty program. However, we greatly appreciate security researchers who report vulnerabilities responsibly and will acknowledge their contributions in our release notes (with permission).
For general security questions or concerns:
- Email: security@juspay.in
- For non-security issues: Create a GitHub issue
Thank you to all security researchers who have helped make NeuroLink more secure.