π Document Metadata
Type: Security Policy | Audience: All Users | Complexity: Intermediate
Last Updated: June 2025 | Status: Production-Ready
Cross-References: Comprehensive Security Guide | Deployment Security | MCP Security
The GNN (GeneralizedNotationNotation) project maintains a comprehensive multi-layered security approach covering development, deployment, and production environments.
π Complete Security Documentation: For comprehensive security information, see Security Guide
We are committed to ensuring the security of the GeneralizedNotationNotation (GNN) project.
| Version | Supported | Security Coverage |
|---|---|---|
| 1.1.x | β Full support | Complete security framework |
| 1.0.x | β LTS support | Backported security fixes |
| 0.1.x | Critical fixes only | |
| < 0.1.0 | β Unsupported | No security support |
π Version Updates: This table is updated with each release. See Changelog for version history.
The GNN team and community take all security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
Primary Contact:
- Email: Send an email to
blanket@activeinference.institute - Subject Line: Use "Security Vulnerability in GNN Project"
GitHub Security:
- Platform: GitHub Security Advisories
- Repository: GeneralizedNotationNotation
- Benefits: Automated coordination with dependency maintainers
β οΈ Important: Please do not report security vulnerabilities through public GitHub issues.
When reporting a vulnerability, please provide:
- Clear description of the vulnerability and its impact
- Component identification: Affected files, modules, or pipeline steps
- Reproduction steps: Detailed steps to reproduce the issue
- Version information: Affected GNN versions and dependencies
- Environment details: Operating system, Python version, framework versions
- Proof of concept: If applicable, demonstration code (safely)
- Suggested mitigations: If you have ideas for fixes
LLM Integration Security (Pipeline Step 13):
- API key exposure in configuration files
- Prompt injection attacks through GNN files
- Unsafe code generation from LLM outputs
MCP Security (Pipeline Step 22):
- Model Context Protocol authentication issues
- Unsafe resource access patterns
- Data leakage through model context
Pipeline Security (All 23 Steps):
- Code injection through GNN file parsing
- Unsafe file operations in output generation
- Privilege escalation in execution steps
Once a security vulnerability is reported, we commit to:
Immediate Response (24-48 hours):
- Acknowledge receipt of the vulnerability report
- Assign a security team member as primary contact
- Begin initial assessment and triage
Investigation Phase (1-7 days):
- Validate and reproduce the vulnerability
- Assess severity using CVSS scoring
- Determine affected versions and components
- Develop initial mitigation strategies
Resolution Phase (Variable, based on severity):
- Critical: 24-72 hours for emergency patch
- High: 1-2 weeks for comprehensive fix
- Medium: 2-4 weeks for scheduled release
- Low: Next planned release cycle
Disclosure Phase:
- Coordinate responsible disclosure timeline
- Prepare security advisory and documentation
- Release patched versions across supported branches
- Publicly acknowledge contributor (unless requested otherwise)
Development Security:
- All code changes reviewed for security implications
- Automated security scanning in CI/CD pipeline
- Dependency vulnerability monitoring
- Regular security audits of critical components
Documentation Security:
- Security considerations in all operational guides
- Threat model documentation for each pipeline step
- Security configuration examples and best practices
- Incident response procedures and playbooks
Environment Setup:
- Use isolated Python virtual environments
- Keep dependencies updated:
pip install --upgrade -r requirements.txt - Validate GNN file sources before processing
- Use secure API key storage (environment variables, not files)
Code Security:
- Review generated code before execution
- Validate all inputs to GNN parsers
- Use sandbox environments for testing unknown models
- Follow secure coding practices for extensions
Infrastructure Security:
- Deploy with minimal required privileges
- Use encrypted connections for all API calls
- Implement proper logging and monitoring
- Regular security updates and patches
Configuration Security:
- Secure API key management (Azure Key Vault, AWS Secrets Manager)
- Network segmentation for GNN processing
- Input validation for all user-provided GNN files
- Output sanitization for generated code
PyMDP Security:
- Validate matrix dimensions before processing
- Sanitize numerical inputs for stability
- Monitor memory usage for large state spaces
RxInfer.jl Security:
- Validate Julia code generation outputs
- Secure inter-process communication with Julia
- Monitor computational resource usage
ActiveInference.jl Security:
- Validate Julia ActiveInference.jl code generation outputs
- Secure inter-process communication with Julia
- Monitor computational resource usage for ActiveInference.jl simulations
LLM Integration Security:
- Never include sensitive data in prompts
- Validate all LLM-generated outputs
- Use prompt injection prevention techniques
- Implement rate limiting for API calls
- Complete Security Framework - Comprehensive security guide
- Deployment Security - Production security configurations
- MCP Security - Model Context Protocol security measures
- PyMDP Security - PyMDP-specific security
- RxInfer.jl Security - Julia integration security
- ActiveInference.jl Security - ActiveInference.jl integration security
- LLM Security - AI integration security practices
- Security Incident Response - Response procedures
- Vulnerability Assessment - Assessment frameworks
- Security Monitoring - Monitoring and alerting
- Security Review: Participate in security-focused code reviews
- Vulnerability Research: Help identify potential security issues
- Documentation: Improve security documentation and guides
- Tool Development: Create security-focused tools and utilities
- Security Announcements: Subscribe to repository notifications
- Release Notes: Check Changelog for security fixes
- Community Forum: Engage in security discussions
- Best Practices: Share security configurations and patterns
We appreciate your help in keeping GeneralizedNotationNotation secure across all dimensions: physical, digital, and cognitive.
π Related Documentation: Security Guide | Deployment Security | Contributing Security