Skip to content

RecSys

Security policy

Initializing search

Home
Start here
Personas
Tutorials
How-to guides
Reference
Explanation
For businesses
Operations
Components
Project
What's new
Tags

RecSys

Home
Start here
Start here
Personas
Personas
Tutorials
Tutorials
How-to guides
How-to guides
Reference
Reference
- Auth and tenancy
- Minimum instrumentation spec
- Integration spec
- API
  API
- Data contracts
  Data contracts
- Config
  Config
- CLI
  CLI
  - recsys-eval
  - recsys-pipelines
- Database
  Database
Explanation
Explanation
For businesses
For businesses
Operations
Operations
- Production readiness checklist
- Performance & capacity
- Baseline benchmarks
- Failure modes & diagnostics
- Runbooks
  Runbooks
Components
Components
- recsys-algo
  recsys-algo
- recsys-eval
  recsys-eval
  - Overview
  - Workflows
    Workflows
    
    Offline gate in CI
    
    Online A/B in production
    
    Decision playbook (ship/hold/rollback)
    
    Default evaluation pack
    
    Interpretation cheat sheet
  - Concepts
  - Data contracts
  - Integration
  - Metrics
  - Interpreting results
  - OPE
  - Interleaving
  - Architecture
  - CI gates
  - Scaling
  - Runbooks
  - Troubleshooting
  - Security & privacy
  - Style guide
  - Roadmap
- recsys-pipelines
  recsys-pipelines
  - Overview
  - Start here
  - Glossary
  - Learning paths
    Learning paths
    
    Engineer
    
    Data engineer
    
    SRE / on-call
    
    Product / stakeholders
  - Tutorials
    Tutorials
    
    Local quickstart
    
    Job-per-container mode
  - How-to
    How-to
    
    Operate pipelines daily
    
    Backfill safely
    
    Roll back artifacts safely
    
    Run incremental
    
    Run a backfill
    
    Schedule pipelines
    
    Debug failures
    
    Roll back the manifest
    
    Add artifact type
    
    Add event field
  - Explanation
    Explanation
    
    Architecture
    
    Data lifecycle
    
    Windows and backfills
    
    Artifacts and versioning
    
    Validation and guardrails
    
    Documentation approach
  - Reference
    Reference
    
    CLI
    
    Config
    
    Output layout
    
    Exit codes
    
    Event schema
    
    Artifact schema
  - Operations
    Operations
    
    SLOs and freshness
    
    Runbooks
    Runbooks
    
    Pipeline failed
    
    Validation failed
    
    Limit exceeded
    
    Stale artifacts
  - Contributing
    Contributing
    
    Dev workflow
    
    Style guide
    
    Releasing
Project
Project
- Glossary
- Message map
- Support model
- Security policy Security policy
  Table of contents
- Governance
- Contributing
- Code of conduct
- Docs style guide
- Documentation quality gates
- Persona journey tests and scoring rubric
- Linking and naming style reference
- Canonical content map
- Docs templates
- Docs per release policy
- Docs versioning
- Licenses readme
What's new
What's new
- Archive
  Archive
  - 2026
Tags

Table of contents

Reporting a vulnerability
Coordinated disclosure
Supported versions
Security hardening guidance (high level)
Read next

Home
Project

project security

Security Policy¶

This page explains Security Policy and how it fits into the RecSys suite.

Reporting a vulnerability¶

Please do not open public GitHub issues for security vulnerabilities.

Preferred reporting options:

GitHub Security Advisories / Private vulnerability reporting (if enabled for this repo)
Email: security@recsys.app

Include:

A clear description of the issue and potential impact
Steps to reproduce (PoC if possible)
Affected versions/commit hashes
Any suggested fixes or mitigations

Coordinated disclosure¶

We follow coordinated disclosure:

We will acknowledge receipt within 72 hours (best effort)
We will work with you on a disclosure timeline where feasible
We will credit reporters in release notes unless you prefer anonymity

Supported versions¶

We aim to support the latest stable minor release line.
Security fixes may be backported at our discretion, depending on severity and effort.

Security hardening guidance (high level)¶

Run the service with least privilege
Keep secrets out of images; use environment variables or a secrets manager
Restrict network access; prefer private networking for internal deployments
Monitor logs and metrics for anomalous traffic

Read next¶

Project hub: Project
Contributing: Contributing

2026-02-08

Aatu Harju

Copyright © RecSys - Change cookie settings

Made with Material for MkDocs

Cookie consent

We use cookies to measure documentation usage and improve this site. You can accept or reject analytics cookies.

GitHub
Google Analytics

Manage settings