The following versions of nlp2sql are currently being supported with security updates.

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. DO NOT open a public GitHub issue for security vulnerabilities
2. Email the maintainers directly at [security contact email]
3. Or use GitHub's private vulnerability reporting feature (Security tab > Report a vulnerability)

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution Target: Within 30 days for critical issues

• Accepted: We will work on a fix and coordinate disclosure with you
• Declined: We will explain why the report does not qualify as a security vulnerability

Security issues relevant to this project include:

• SQL injection vulnerabilities in generated queries
• Credential exposure in logs or error messages
• Insecure handling of database connection strings
• Vulnerabilities in AI provider API key management
• Dependencies with known security issues

• Issues in third-party AI providers (OpenAI, Anthropic, Google)
• Vulnerabilities requiring physical access to the server
• Social engineering attacks

When using nlp2sql in production:

1. Never commit .env files - Use environment variables or secret management
2. Use read-only database credentials when possible
3. Enable query validation to prevent dangerous SQL execution
4. Review generated SQL before executing on sensitive data
5. Keep dependencies updated - Run uv sync regularly