Vulnerability Management & Scanning Policies

Overview

At LangChain, the security of our infrastructure and customer data is paramount. We maintain a robust vulnerability management program designed to identify, assess, and remediate security risks continuously. This article outlines our scanning infrastructure, our policies for remediation, and resources for customers conducting their own due diligence.

Trust Center

For a comprehensive view of our security posture, compliance certifications (SOC 2, ISO 27001 etc), and real-time monitoring, please visit our Trust Center. This is the primary resource for existing customers to download security packets and audit reports.

How We Detect Vulnerabilities

We utilize industry-leading tools to maintain a real-time view of our security landscape. Our internal "Source of Truth" for vulnerability validation relies on two main systems.

• Vanta is used for continuous compliance monitoring and ensuring workstation security across our organization.

• Google Artifact Registry (GAR) is responsible for scanning our container images and deployment artifacts for vulnerabilities before they ever reach production.

Remediation SLAs

Once a vulnerability is confirmed by our internal tools, we adhere to strict Service Level Agreements (SLAs) to ensure timely remediation.

• Critical severity issues are remediated in less than 2 weeks.

• High severity issues are remediated within 30 days.

• Medium and Low severity issues are prioritized based on risk impact and addressed during regular patch cycles.

Customer-Reported Scans

We understand that customers may occasionally run their own scans against our deployments. It is important to note that external scans often flag false positives, such as theoretical configuration issues or non-active libraries that do not represent a true exploit path in our specific environment.

If your scan reports an issue, please cross-reference it with the reports available in our Trust Center. We prioritize findings from our internal Vanta and GAR scans as they are configured with the full context of our architecture.