Skip to content

SerenityGPT secure software supply chain commitment

This document outlines SerenityGPT's commitment to maintaining a secure software supply chain for its containerized, Python-based enterprise AI search product.

Software bill of materials (SBOM)

The SerenityGPT product includes third-party components and open-source software. An SBOM is available upon request, detailing all components used in the software. This SBOM adheres to the SPDX format and includes:

  • A list of all direct and transitive dependencies.
  • Version information for each component.
  • License information for each component.

Security practices and standards

SerenityGPT's development process implements Center for Internet Security (CIS) best practices and works towards National Institute of Standards and Technology (NIST) compliance. This approach ensures a strong foundation for security while allowing for scalability as the product matures.

Vulnerability management

SerenityGPT addresses vulnerabilities based on their severity, as defined by the Common Vulnerability Scoring System (CVSS):

  • Critical (CVSS 9.0-10.0): Address within 7 business days.
  • High (CVSS 7.0-8.9): Address within 30 business days.
  • Medium (CVSS 4.0-6.9): Address in future releases as appropriate.
  • Low (CVSS 0.1-3.9): Address in future releases as appropriate.

These timeframes represent maximum response times. SerenityGPT strives to address vulnerabilities faster whenever possible. Continuous monitoring and proactive measures aim to prevent vulnerabilities before they occur.

Dependency management

The SerenityGPT product uses various open-source Python libraries. A rigorous process keeps these dependencies up-to-date, minimizing exposure to known vulnerabilities. Information about current dependencies is available upon request as part of the SBOM.

Customer security assessments

Transparency is a key value at SerenityGPT. Customers are welcome to conduct their own security scans of the product. SerenityGPT is committed to addressing any legitimate concerns raised through these assessments promptly and thoroughly.

Continuous improvement

Security is an ongoing process. SerenityGPT continuously evaluates and improves security practices, staying informed about emerging threats and best practices in the field of AI and enterprise software security.

Contact

For any security-related inquiries or to request an SBOM, please contact the SerenityGPT support team.