Is Areebi SOC 2 certified?

Areebi deploys entirely inside your infrastructure, so your existing SOC 2 controls cover the runtime environment. Areebi provides the audit logging, access controls, and policy enforcement you need to demonstrate compliance to your auditor. SOC 2 Type II certification for Areebi's own corporate controls is planned for 2026; we will publish the attestation when it is complete.

Where is Areebi data stored?

All data stays within your infrastructure. Areebi deploys as a self-hosted Docker image - on-premises, in your VPC, or air-gapped. No prompts, responses, or documents are sent to external servers.

Does Areebi sign BAAs for HIPAA compliance?

Because Areebi runs entirely within your environment, the traditional BAA model does not apply. Your organization maintains full control of all protected health information. Areebi provides HIPAA-specific DLP patterns and audit controls.

Public security log

CVE disclosure history

Areebi commits to public CVE disclosure for security issues in products we develop or maintain. We have no CVEs assigned against Areebi-developed products as of 2026-05-20, because we have not yet shipped a paid product to production.

For our open-source contributions (AnythingLLM upstream), CVEs filed against upstream are linked in the table below as they are issued. This page is the single source of truth for the Areebi CVE log.

Coordinated disclosure process

From report to public CVE in four steps

Every reported vulnerability moves through this pipeline. The reporter stays in the loop at each step.

Step 1

Triage with reporter

We confirm reproduction, agree on severity, and align on the disclosure timeline. The reporter remains the primary contact through the entire process.

Step 2

CVE numbering via MITRE

Areebi is not yet a CVE Numbering Authority (CNA). We request CVE IDs directly from MITRE via the standard MITRE CVE request form. Typical turnaround is 5 to 14 days.

Step 3

Coordinated disclosure window

Default 90 day window from confirmed report to public advisory, negotiable per-report. Active exploitation can shorten the window; complex multi-party fixes can extend it.

Step 4

Patched release + advisory + credit

We ship a patched release, publish the advisory on this page (and via RSS), file the CVE with MITRE, and credit the researcher unless they prefer anonymity.

CVE log

Every CVE we have disclosed

Below is the canonical CVE table for Areebi-developed and Areebi-maintained software. Updated within 24 hours of any CVE being issued.

CVE ID	Affected component	Severity	Discovered	Disclosed	Patched	Reporter	Advisory link
No CVEs disclosed yet We have not shipped a paid product to production. When the first CVE is filed against Areebi software, it will appear in this table within 24 hours of MITRE assignment.

CVE ID

Affected component

Severity

Discovered

Disclosed

Patched

Reporter

Advisory link

No CVEs disclosed yet

We have not shipped a paid product to production. When the first CVE is filed against Areebi software, it will appear in this table within 24 hours of MITRE assignment.

Severity ratings use CVSS 3.1 base scores. Reporter names are published with consent; anonymous reports are credited as "anonymous researcher".

Stay subscribed

Get advisories the moment they publish

No marketing list, no waiting for our weekly digest. Pick the channel that fits your workflow.

RSS feed

The Areebi blog feed includes every published security advisory. Add it to your reader for real-time delivery.

Subscribe to /feed.xml

GitHub Security Advisories

Advisories for our AnythingLLM fork are published as GitHub Security Advisories on the mitsubishyy/anything-llm repository.

Watch advisories on GitHub

Email security@areebi.com

To report a vulnerability or request to be added to a coordinated disclosure list for a specific issue, email us directly.

security@areebi.com

What counts as an Areebi-attributable CVE

Vulnerabilities introduced by code authored by Areebi engineers in the mitsubishyy/anything-llm fork, areebi-website, or any Areebi-authored repository
Vulnerabilities in Areebi-deployed configurations of upstream open source (configuration-induced CVEs)
Vulnerabilities in Areebi-operated infrastructure (areebi.com, Trust Center, marketing properties) that impact customer-trustworthy data

Upstream AnythingLLM CVEs that we did not introduce are tracked via the upstream repository and Mintplex Labs advisories. We will link them from our advisory text when they affect Areebi customer deployments.

The CVE log is part of a larger commitment

Coordinated disclosure, public threat models, and a self-attested SOC 2 readiness tracker reinforce each other.

Responsible disclosure Public threat models SOC 2 readiness

Report a vulnerability Back to Trust Center

Taking longer than expected.

Reload the page