Do not open a public issue. Email security reports to:
You'll receive an acknowledgment within 48 hours.
- Description of the vulnerability
- Steps to reproduce
- Affected components and versions
- Potential impact
- Private report → acknowledgment (48h)
- Investigation and fix development
- Coordinated disclosure with the fix release
If you're deploying AgentHub in production:
- Change
JWT_SECRETandKMS_MASTER_KEYfrom defaults - Rotate all database and service passwords
- Use TLS on external-facing endpoints
- Keep infrastructure services (NATS, PostgreSQL, Redis) on internal networks
- Review the sensitive-tool pattern list for your use case
- Keep dependencies updated (
go mod tidy,cargo audit)
In scope: Auth bypass, JWT forgery, KMS extraction, message injection, sandbox escape, SQL injection, SSRF, sensitive data in logs.
Out of scope: DoS via resource exhaustion, physical attacks, social engineering, vulnerabilities in upstream infrastructure (PostgreSQL, Redis, NATS).
Thank you for helping keep AgentHub secure. 🔐