anonde is a local-first PII anonymization toolkit. A vulnerability here can expose the very data the tool exists to protect, so we take reports seriously and ask you to disclose them responsibly.
anonde is pre-1.0. Only the latest 0.x minor release receives
security fixes; there are no long-term support branches yet.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
When 1.0 ships, this table will be updated with a longer support window.
Do not open a public issue, pull request, or discussion for a security problem. Use one of the private channels below:
- GitHub private vulnerability reporting (preferred) — open the Security tab and submit a draft advisory. This keeps the report private and lets us collaborate on a fix in the same place.
- Email — security@anonde.io. Encrypt with our PGP key if you have sensitive details; ask for the key in a first, content-free message if needed.
Please include, as far as you can:
- The affected version, commit, or image tag.
- The build variant (patterns-only or
-tags nerNER). - A minimal reproduction — input, request, and observed vs. expected behavior. Redact any real PII from the report itself.
- Impact: what an attacker gains (e.g. plaintext leak, vault bypass, unauthorized reveal).
| Stage | Target |
|---|---|
| Acknowledgement of report | within 3 business days |
| Initial severity assessment | within 7 business days |
| Fix or mitigation plan | within 30 days for High/Critical |
We will keep you updated as the fix progresses, credit you in the release notes and advisory unless you ask otherwise, and coordinate a disclosure date with you. We follow a 90-day coordinated disclosure window: if a fix is not ready by then, we will discuss next steps with you rather than disclose unilaterally.
In scope — issues in this repository, including:
- Incomplete or bypassable anonymization that leaks PII downstream (note: missed spans are a recall concern tracked by the benchmark, not a security report, unless the miss is triggerable by crafted input).
- Unauthorized reveal / de-anonymization, or bypass of the
actor+purposegate on the reveal path. - Token-vault disclosure, predictable tokens, or cross-tenant leakage.
- Injection, SSRF, or request smuggling through the HTTP API or the OpenAI-compatible proxy.
- Secrets (API keys, upstream credentials) exposed via logs, errors, or responses.
- Build- or image-supply-chain issues (e.g. the bundled
libonnxruntime.soin the NER image).
Out of scope:
- Vulnerabilities in third-party dependencies — report those upstream; tell us if anonde's default configuration makes them exploitable.
- Findings that require a misconfigured deployment the docs warn against (e.g. exposing the server to the public internet without auth).
- Detection-recall gaps with no security trigger — open a normal issue or see the benchmark suite.
anonde is self-hosted; some of its security posture is the operator's responsibility:
- The HTTP API has no built-in authentication in
0.1. Run it inside your trust boundary, behind your own gateway or mTLS. Do not expose it directly to the public internet. - The token vault is reversible by design. Treat the vault store (in-memory or bbolt file) as containing the original cleartext, and protect it accordingly.
- Encryption operators use keys you supply — manage and rotate them with your normal secrets process.
Thank you for helping keep anonde and its users safe.