Contents (8 sections)
1. Security Overview
AiExponent ships open source compliance tooling under Apache 2.0. Source for every tool is public; every release is reproducible from the tagged commit.
- Source: GitHub, public. github.com/aiexponenthq
- License: Apache 2.0 (full grant, including patent).
- Distribution: PyPI for Python tools; binaries / Docker images on per-tool release pages.
- No telemetry. The CLIs do not phone home; they read local files and emit local artefacts.
2. Vulnerability Disclosure
Found a security issue? We treat coordinated disclosure as the default. Please report privately first.
Primary channel
Email security@aiexponent.com with reproduction steps and an estimate of impact. PGP key on request. We acknowledge within 48 hours and target a fix or mitigation timeline within 7 days for critical issues.
Per-tool SECURITY.md files (linked in §3) repeat this policy at the repo level so dependabot / GitHub scanners route correctly.
3. Supply Chain
Per-tool security policies and distribution metadata. Each row links to the live SECURITY.md in the GitHub repository — what you read on the site is what is in the repo.
| Tool | Distribution | SECURITY.md |
|---|---|---|
| License Compliance Checker | PyPI distribution — checksum + license metadata audit-ready | View → |
| RiskForge | PyPI distribution — checksum + license metadata audit-ready | View → |
| RAG Benchmarking | PyPI distribution — checksum + license metadata audit-ready | View → |
| LitmusAI | PyPI distribution — checksum + license metadata audit-ready | View → |
4. Dependency Audits
- Cadence: Dependabot / pip-audit run on every push. Critical advisories are patched within 7 days; high-severity within 14.
- Pinned versions: All production dependencies are version-pinned. Lockfiles are committed.
- License compatibility: LCC (our own license-compliance tool) gates pull requests across the OSS portfolio. The CI gate is a falsifiable test of our own claim — see LCC docs.
5. Data Handling
The OSS tools run locally. They read your repository or your model artefacts from disk and emit reports back to disk. They do not transmit data to AiExponent.
The marketing website (aiexponent.com) collects only what visitors submit through the contact form (name, email, organisation, message). Form submissions are routed to hello@aiexponent.com via Resend. No analytics that fingerprint visitors are embedded.
6. Authentication & Access
No authenticated surfaces ship in the OSS portfolio today; every tool is local-CLI-first. The forthcoming Sigil enterprise platform will require SSO and document its threat model on this page before any external pilot. Until that artefact exists, this section will remain about the current state, not a roadmap promise.
7. Incident Response
- Severity classification follows a P0/P1/P2/P3 scheme. P0 = exploitable in published code; P1 = exploitable in a pre-release branch.
- P0 acknowledgement within 4 hours. Mitigation or coordinated-disclosure timeline within 24 hours.
- Post-incident: a public, blameless writeup is published on the affected repo within 14 days for any P0 or user-data-affecting P1.
8. Roadmap
Items the team has committed to ship before the next review of this page. Each one is a discrete artefact, not an aspiration:
- SLSA Level 2 provenance for PyPI releases.
- Signed SBOMs (CycloneDX) on every tool release page.
- Public threat model for Sigil before any external pilot starts.
When each item ships, it moves out of §8 and into the appropriate section above with a link to the artefact. This page does not list aspirations once they have been there for two reviews.
Related
- Legal notices → (warranty disclaimer, IP, governing law)
- Product portfolio → (each tool's docs surface)