Introduction

Caution

This product is still under active development in an unstable state. The effectiveness of the tool is constantly under evaluation and its architecture and user experience are subject to change.

Matches allows to correlate Fluid Attacks’ vulnerabilities with custom vulnerabilities provided by the client via Integrates

Public Oath

Fluid Attacks handles client data with the utmost care and respect, including its custom criteria threats. Any AI tool (either external or self hosted) will be used ethically and responsibly. We will ensure that the data is not used for any other purpose than the one agreed upon with the client. An opt out agreement was made with the AI embedding provider to ensure that the data is not collected for training purposes.

Architecture

1. Criteria embedding: Fluid Attacks’ criteria library is processed to produce vector embeddings with VoyageAI whose collections from chromadb vector database are stored in AWS S3.
2. Custom threat definition: The client can upload their custom threats criteria through the integrates platform for being eventually stored in AWS S3.
3. Threat mapping: once uploaded, a task is triggered to extract meaningful threats from the client’s documents with a pre-trained BERT classification model, then the client’s custom threats are mapped against the Fluid Attacks’ criteria library to find the most correlated criteria and eventually store those mappings into integrates Dynamo DB main table via SQS.
4. See mapped threats in platform: The client can query the mappings through the integrates platform. These are visible in the matches tab for every group.

Data Security and Privacy

Matches does not manipulate personally identifiable information (PII), compromising or sensitive data, as it only processes custom vulnerabilities provided by the client. Such custom threats are Stored in DynamoDB and S3, all inside Fluid Attacks’ AWS Account

Voyage AI

Voyage AI, by default, utilizes customer data for training and improving AI models. However, Fluid Attacks explicitly opts out of this default setting, ensuring that client data provided to Voyage AI is used solely for generating embeddings and is not leveraged for any model training or improvement purposes. (Voyage AI Privacy Policy)

Some additional points to consider:

1. Voyage AI hosts its infrastructure in USA.
2. Since Fluid Attacks opted out of data collection, the data is not stored in Voyage AI’s servers (zero storage time).
3. Data transmitted to Voyage AI is encrypted in transit with SSL in all its APIs.
4. Voyage AI has GDPR, SOC 2 and HIPAA compliance certifications.

Chroma vector database

Chroma is an open source vector database which supports self management locally, which means that the data is not sent to any cloud provider.

Yet, chroma contains an anonymous telemetry feature which is enabled by default. We have opted out of this feature by setting the anonymized_telemetry to false in the Settings object.

Contributing

Please read the contributing page first.

See also

• VoyageAI introduction.
• VoyageAI Privacy Policy.
• Chroma vector database.