Inquiry Regarding Secure Usage of Rasa Open Source

Dear Rasa Community. I’ve been exploring the Rasa framework for building conversational AI applications and have been impressed with its capabilities. However, before proceeding further, I wanted to address some security concerns that have been brought to my attention.

Upon reviewing the framework, I noticed that there have been vulnerabilities reported in some of Rasa’s dependencies, such as Pillow and cryptography (e.g., CVE-2023-50447 and CVE-2023-49083). As security is a top priority for our project, I wanted to inquire about the following:

  1. Is there a recommended approach or best practice for ensuring the secure usage of Rasa Open Source, particularly in regards to managing and addressing vulnerabilities in its dependencies?
  2. Are there any plans or initiatives in place to address security vulnerabilities in Rasa’s dependencies in upcoming releases?
  3. Could you provide insights into the dependency management process within the Rasa framework, including how vulnerabilities are monitored, addressed, and communicated to users?
  4. Are there any specific versions or configurations of Rasa Open Source that are known to be more secure or have fewer vulnerabilities in their dependencies?

For me, it’s recommended to stay updated with the latest releases and security advisories. While there may not be specific versions guaranteed to be free of vulnerabilities, regularly updating to the latest stable release is generally advisable to benefit from security fixes and enhancements. And one thing, maintaining awareness of security best practices such as securing server infrastructure and implementing authentication mechanisms can further enhance the security posture of Rasa-based applications, as well.