| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| 0.1.x | ✅ |
| < 0.1 | ❌ |
We take security seriously. If you discover a security vulnerability, please follow these steps:
-
Do NOT create a public GitHub issue
-
Email the security team at security@honeyjar.xyz with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any suggested fixes (optional)
-
Expect a response within 48 hours
-
Coordinate disclosure timeline with maintainers
- Authentication/authorization bypasses
- Injection vulnerabilities (command, code, etc.)
- Secrets exposure risks
- Insecure default configurations
- Agent prompt injection vectors
- MCP server security issues
- Vulnerabilities in dependencies (report to upstream)
- Social engineering attacks
- Physical security issues
- Denial of service (unless critical)
This repository uses:
- TruffleHog - Secret detection
- GitLeaks - Secret scanning
- Dependabot - Dependency vulnerability alerts
- CodeQL - Static code analysis
The main branch is protected with:
- Required pull request reviews
- Required status checks
- No force pushes
- No deletions
- All secrets must use environment variables
- No hardcoded credentials in code
.envfiles are gitignored- Secret rotation procedures documented
- Never commit secrets - Use environment variables
- Validate all inputs - Especially in agent prompts
- Sanitize outputs - Prevent information disclosure
- Review MCP integrations - External APIs need security review
- Use minimal required permissions
- Validate data from external sources
- Handle errors without exposing sensitive info
- Test with mock data before production
| Day | Action |
|---|---|
| 0 | Vulnerability reported |
| 1-2 | Acknowledgment sent |
| 3-7 | Initial assessment complete |
| 8-30 | Fix developed and tested |
| 31-45 | Coordinated disclosure (if approved) |
Security updates are announced via:
- GitHub Security Advisories
- CHANGELOG.md updates
- Discord announcements (for critical issues)
Thank you for helping keep Loa secure!