If you discover a security vulnerability in this project, please report it responsibly. Do not open a public GitHub issue for security vulnerabilities.
- Email: Send a detailed report to security-opensource@gruposantander.com
- GitHub Security Advisories: Alternatively, use GitHub Security Advisories to report privately.
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Stage | SLA |
|---|---|
| Acknowledgment of report | < 48 hours |
| Initial assessment and severity classification | < 7 days |
| Fix for Critical/High severity | < 30 days |
| Fix for Medium/Low severity | < 90 days |
- We will acknowledge your report within 48 hours.
- We will investigate and determine the severity.
- We will develop and test a fix.
- We will release the fix and publish a security advisory.
- We will credit you publicly in the advisory and CHANGELOG (unless you prefer to remain anonymous).
This security policy applies only to code in this repository. It does not cover:
- Santander's internal infrastructure or systems
- Other Santander products or services
- Third-party dependencies (report those to the respective maintainers)
mech-gov-framework is a model-agnostic Python library for governing LLM
decisions. It ships an offline, deterministic mock LLM provider by default and
does not require network access or credentials to run. When configured with a
real backend (callable, openai_compatible, or the optional bedrock/
sagemaker extras), it issues outbound requests to the endpoint you supply.
Reports concerning unsafe handling of model credentials passed through the
MECH_GOV_LLM_* environment variables, deserialization of policy templates or
dataset/config files (YAML/JSON), or bypasses of the R2 mechanical enforcement
gates are in scope.
| Version | Supported |
|---|---|
| Latest release | Yes |
| Previous minor release | Security fixes only |
| Older versions | No |
- Never commit secrets, API keys, tokens, or credentials
- Never commit internal URLs, IP addresses, or corporate email addresses
- Never commit personally identifiable information (PII) or customer data
- Provide model endpoints and keys exclusively through the
MECH_GOV_LLM_*environment variables - Keep dependencies up to date (Dependabot is enabled on this repository)
We follow a coordinated disclosure process. We ask that you:
- Give us reasonable time to fix the vulnerability before public disclosure
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
- Do not access or modify data that does not belong to you