Security Policy

Supported Versions

Security fixes are applied to the latest commit on the main branch. No separate release branches are maintained at this time.

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Report security issues privately using one of these methods:

1. GitHub Security Advisories (preferred): Use the Report a vulnerability link on the Security tab of this repository. GitHub will keep the report private until a fix is coordinated.
2. Email: Send details to the repository owner through the contact information on the GitHub profile.

What to include

• Description of the vulnerability and affected component(s)
• Steps to reproduce (or a proof-of-concept if available)
• Potential impact (data exposure, authentication bypass, privilege escalation, etc.)
• Any suggested fix if you have one

Response timeline

• Acknowledgement: within 3 business days
• Initial assessment: within 7 business days
• Fix and coordinated disclosure: timeline depends on severity; critical issues are prioritized

Scope

In scope:

• hub/gateway/ — OAuth, JWT, image proxy, billing
• hub/bridge/ — GitHub integration, vault sync, team roles
• hub/icp/ — ICP canister (Motoko)
• lib/ — core library (search, memory, importers, AIR)
• mcp/ — MCP server
• cli/ — CLI
• web/hub/ — Hub frontend

Out of scope:

• Self-hosted deployments that use default or weak secrets in config/local.yaml or .env
• Vulnerabilities that require physical access to the server
• Denial-of-service attacks against self-hosted instances
• Third-party services (GitHub OAuth, Stripe, Netlify, Internet Computer)

Security hardening

This codebase has completed a 4-phase pre-launch security audit (Phases 0–3). See docs/SECURITY-AUDIT-PLAN.md for the full remediation record.