tiennm99/litellm
1
0
Fork 0
mirror of https://github.com/tiennm99/litellm.git synced 2026-06-26 01:06:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
64ec11df8b014e6b86e775cef1d7c58df874d4e6
litellm/security.md
T
ishaan-berri 1110a206ae Update security.md
2026-03-31 10:27:13 -07:00

3.1 KiB
Raw Blame History

Data Privacy and Security

Security Vulnerability Reporting Guidelines

We value the security community's role in protecting our systems and users. To report a security vulnerability:

  • Email support@berri.ai with details
  • Include steps to reproduce the issue
  • Provide any relevant additional information

We'll review all reports promptly.

Vulnerability Categories

We classify vulnerabilities into the following categories:

P0: Supply Chain Attacks

Attacks that compromise our CI/CD pipeline, allowing a malicious actor to point our PyPI package or Docker images (GHCR or Docker Hub) to vulnerable or tampered artifacts.

P1: Unauthenticated Proxy Access

Application-level attacks where an unauthenticated user is able to gain access to a LiteLLM proxy instance that should be protected.

Bug Bounty Program

We offer bounties for responsibly disclosed vulnerabilities based on severity:

Severity Bounty Range Example
Critical $1,500 - $3,000 P0 supply chain compromise
High $500 - $1,500 P1 unauthenticated proxy access
Medium $250 - $500 P2 authenticated privilege escalation
Low $50 - $250 Minor information disclosure, low-impact misconfigurations

To qualify for a bounty, reports must include clear reproduction steps and must not involve systems or accounts you do not own. We review all submissions promptly and will follow up within 5 business days.

Security Measures

LiteLLM Github

  • All commits run through Github's CodeQL checking

Self-hosted Instances LiteLLM

  • No data or telemetry is stored on LiteLLM Servers when you self host
  • For installation and configuration, see: Self-hosting guided
  • Telemetry We run no telemetry when you self host LiteLLM

LiteLLM Cloud

  • We encrypt all data stored using your LITELLM_MASTER_KEY and in transit using TLS.
  • Our database and application run on GCP, AWS infrastructure, partly managed by NeonDB.
    • US data region: Northern California (AWS/GCP us-west-1) & Virginia (AWS us-east-1)
    • EU data region Germany/Frankfurt (AWS/GCP eu-central-1)
  • All users have access to SSO (Single Sign-On) through OAuth 2.0 with Google, Okta, Microsoft, KeyCloak.
  • Audit Logs with retention policy
  • Control Allowed IP Addresses that can access your Cloud LiteLLM Instance

For security inquiries, please contact us at support@berri.ai

Supported data regions for LiteLLM Cloud

LiteLLM supports the following data regions:

  • US, Northern California (AWS/GCP us-west-1)
  • Europe, Frankfurt, Germany (AWS/GCP eu-central-1)

All data, user accounts, and infrastructure are completely separated between these two regions

Security Vulnerability Reporting Guidelines

We value the security community's role in protecting our systems and users. To report a security vulnerability:

  • Email support@berri.ai with details
  • Include steps to reproduce the issue
  • Provide any relevant additional information

We'll review all reports promptly. Note that we don't currently offer a bug bounty program.

Reference in New Issue View Git Blame Copy Permalink