| Version | Supported |
|---|---|
| 0.0.x | ✅ |
Please report security issues via GitHub Security Advisories.
Include:
- Description of the vulnerability
- Steps to reproduce
- Affected component
- Potential impact assessment
| Stage | Target |
|---|---|
| Acknowledgment | 48 hours |
| Initial assessment | 5 business days |
| Fix or mitigation | 30 days |
| Public disclosure | After fix release |
- Injection vulnerabilities (SQL, command, path traversal)
- Device command safety bypass (sending unapproved commands to devices)
- Credential or API key exposure
- Privilege escalation
- Plugin sandbox escape
- Denial of service against local-only services
- Bugs in third-party dependencies (report upstream)
- Social engineering
Device-use controls physical laboratory hardware via computer-use agents. Security vulnerabilities that could result in:
- Uncontrolled device activation (lasers, motors, high-voltage equipment)
- Safety interlock bypass
- Calibration data corruption
- Unauthorized experiment execution
are treated as critical severity regardless of software impact assessment.
- API tokens and deploy SSH keys: rotate every 90 days.
- Emergency rotation: within 24 hours of suspected compromise.
- Never log secret values or full token identifiers.