The following versions of Sarvis Spring Boot Starter are currently supported with security updates:

If you discover a security vulnerability, please report it responsibly.

Do NOT create a public GitHub issue for security vulnerabilities.

Instead, report it privately via GitHub Security Advisories or contact the maintainer:

Repository: https://github.com/AkashKobal/sarvis-spring-boot-starter/security/advisories

Maintainer: https://github.com/AkashKobal

Include the following details:

• Description of the vulnerability
• Steps to reproduce
• Impact assessment
• Possible mitigation or fix (if available)
• Logs, stack traces, or screenshots (if applicable)

You will receive a response as soon as possible.

When using Sarvis Spring Boot Starter:

❌ Incorrect:

String apiKey = "your-secret-api-key";

✅ Correct:

sarvis:
  api-key: ${SARVIS_API_KEY}

Linux / macOS:

export SARVIS_API_KEY=your-api-key

Windows:

set SARVIS_API_KEY=your-api-key

Never commit:

• API keys
• Tokens
• Passwords
• Credentials
• .env files

Add to .gitignore:

.env
application-local.yml
application-secret.yml

application.yml

sarvis:
  api-key: ${SARVIS_API_KEY}
  model: sarvam-m

Keep dependencies up to date.

Check for vulnerabilities:

mvn dependency-check:check

or

mvn versions:display-dependency-updates

• Use environment variables or secure vaults (AWS Secrets Manager, HashiCorp Vault, etc.)
• Never expose API keys in logs
• Never expose API keys in client-side applications
• Rotate API keys periodically

Please allow reasonable time to investigate and resolve vulnerabilities before public disclosure.

Security fixes will be released as soon as possible.

Maintainer: Akash Kobal
GitHub: https://github.com/AkashKobal

Project Repository:
https://github.com/AkashKobal/sarvis-spring-boot-starter

Security Advisories:
https://github.com/AkashKobal/sarvis-spring-boot-starter/security/advisories

Thank you for helping keep Sarvis Spring Boot Starter secure.