We prioritize the security of our users and community above all else.
Philosophy: Transparency and responsible disclosure
Versions receiving security updates:
| Project | Version | Supported |
|---|---|---|
| AIRIS MCP Gateway | 1.x.x | β |
| mindbase | 0.x.x (Beta) | β |
| superagent | 1.x.x | β |
| neural | 0.x.x (Beta) | β |
| selfhosted-supabase-mcp | 1.x.x | β |
| cmd-ime | 0.x.x (Beta) | β |
Important: Do not report security vulnerabilities through public issues.
Contact:
- π§ Email: security@agiletec.net
- π Encryption: PGP Key available on request
Report Contents:
- Detailed description of the vulnerability
- Affected versions
- Reproduction steps (PoC)
- Potential impact scope
- Proposed fix (if available)
Timeline:
-
Acknowledgment (within 24 hours)
- Confirm receipt of report and send acknowledgment
-
Initial Assessment (within 3 business days)
- Evaluate vulnerability severity (CVSS v3.1)
- Investigate impact scope
-
Fix Development (based on severity)
- Critical: within 1 week
- High: within 2 weeks
- Medium: within 1 month
- Low: next release
-
Patch Release
- Release security patch
- Obtain CVE number (if necessary)
-
Disclosure (90 days after patch release)
- Publish vulnerability details
- Acknowledge reporter
Target Projects:
- AIRIS MCP Gateway
- mindbase
- superagent
- neural
- selfhosted-supabase-mcp
- cmd-ime
- Agiletec Platform (private products)
Bounty Amounts (under consideration):
- Critical: $500 - $2,000
- High: $200 - $500
- Medium: $50 - $200
- Low: Acknowledgment only
Excluded:
- Known vulnerabilities in third-party libraries
- Social engineering attacks
- Attacks requiring physical access
- DoS/DDoS attacks
Secret Management:
- β Use secret managers like Infisical
- β Don't commit
.envfiles to Git - β Don't hardcode API keys in code
Dependency Management:
- Run
npm auditorpnpm auditregularly - Enable Dependabot
- Regular library updates
Authentication & Authorization:
- Set JWT token expiration
- Implement CSRF protection
- Introduce rate limiting
Infrastructure Security:
- β Enforce HTTPS/TLS
- β Principle of Least Privilege
- β Network isolation (Docker networks)
- β Regular security patch application
Data Protection:
- Database encryption (at-rest, in-transit)
- Row-Level Security (RLS) for multi-tenant isolation
- Backup encryption
| Date | Auditor | Scope | Findings |
|---|---|---|---|
| TBD | Internal | AIRIS Platform | TBD |
| TBD | External | MCP Gateway | TBD |
We strive to comply with the following security standards:
- OWASP Top 10 (Web Application Security)
- CWE Top 25 (Common Weakness Enumeration)
- NIST Cybersecurity Framework (Infrastructure Security)
- GDPR Compliance (for EU customers)
- Japan Personal Information Protection Act Compliance
- Data minimization principle
- Static Analysis: ESLint security plugins
- Dependency Scanning: Snyk, npm audit
- Secret Scanning: git-secrets, TruffleHog
- Container Scanning: Trivy
We thank security researchers:
- (Researcher names - to be added after vulnerability disclosure)
For general security questions:
- π§ Email: security@agiletec.net
- π GitHub Security Advisory: Security tab of each project
Security is a continuous journey, not a destination.
We strive daily to provide safe and reliable software.
β Agiletec Inc. Security Team