The Agent Identity Management (AIM) team takes security seriously. We appreciate the security research community's efforts in responsibly disclosing vulnerabilities.
DO NOT open public GitHub issues for security vulnerabilities.
Instead, please report security vulnerabilities by emailing:
To help us assess and address the vulnerability quickly, please include:
- Description: A clear description of the vulnerability
- Impact: The potential impact if exploited
- Reproduction Steps: Detailed steps to reproduce the issue
- Proof of Concept: Code or screenshots demonstrating the vulnerability (if applicable)
- Suggested Fix: If you have ideas on how to fix it (optional)
- Your Contact Information: So we can follow up with questions
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Assessment: We will assess the vulnerability and determine its severity
- Updates: We will keep you informed of our progress
- Fix: We will work on a fix and coordinate disclosure timing with you
- Credit: We will credit you in our security advisories (unless you prefer to remain anonymous)
- Day 0: Vulnerability reported to info@opena2a.org
- Day 1-2: Acknowledgment sent to reporter
- Day 3-7: Assessment and severity determination
- Day 7-30: Development and testing of fix
- Day 30-90: Coordinated public disclosure after fix is deployed
We ask that you:
- Give us reasonable time to fix the vulnerability before public disclosure
- Make a good faith effort to avoid privacy violations, data destruction, and service disruption
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
We release security updates for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
AIM includes the following security features:
- JWT-based Authentication: Secure token-based authentication
- Bcrypt Password Hashing: Industry-standard password protection
- Role-Based Access Control (RBAC): Granular permission management
- OAuth/OIDC Support: SSO integration
- Ed25519 Key Pairs: Modern elliptic curve cryptography for agent identity (RFC 8032)
- AES-256-GCM: Authenticated encryption for stored private keys (NIST SP 800-38D)
- SHA-256 API Key Hashing: Secure API key storage
- bcrypt (cost=12): Password hashing per OWASP guidelines
- TLS 1.2+: Encrypted data in transit (TLS 1.3 recommended)
| Component | Algorithm | Key Size | Standard |
|---|---|---|---|
| Agent Signatures | Ed25519 | 256-bit | RFC 8032 |
| JWT Signing | HMAC-SHA256 | 256-bit | RFC 7519 |
| Key Encryption | AES-256-GCM | 256-bit | NIST SP 800-38D |
| Password Hashing | bcrypt | cost=12 | OWASP |
| API Key Hashing | SHA-256 | 256-bit | FIPS 180-4 |
- Input Validation: Comprehensive request validation
- SQL Injection Prevention: Parameterized queries throughout
- XSS Protection: Content Security Policy and output encoding
- CSRF Protection: Token-based CSRF prevention
- Rate Limiting: API request throttling
- Audit Logging: Comprehensive security event logging
- Environment Variables: No hardcoded secrets
- Docker Security: Non-root containers, minimal base images
- Database Encryption: Encrypted connections required
- Secret Management: Secure credential handling
- Always use HTTPS in production
- Keep dependencies updated regularly
- Use strong passwords for database and admin accounts
- Enable audit logging for compliance
- Configure proper CORS policies
- Use secrets management solutions (not .env files in production)
- Regular security updates - apply patches promptly
- Never commit secrets to version control
- Use .env.example as template, never commit .env
- Run security scanners before commits
- Review dependencies for known vulnerabilities
- Follow least privilege principle
- Validate all inputs from users
- Test authentication and authorization flows
We conduct regular security assessments:
- Code Reviews: All code changes are reviewed
- Dependency Scanning: Automated vulnerability scanning
- Penetration Testing: Periodic security audits
- Compliance Reviews: SOC 2, HIPAA, GDPR assessments
| Control Area | Implementation |
|---|---|
| CC6.1 Logical Access | RBAC, JWT authentication, API key scoping |
| CC6.6 System Boundaries | Network segmentation, CORS, rate limiting |
| CC6.7 Data Classification | Credential encryption, log sanitization |
| CC6.8 Data Retention | Configurable retention, secure deletion |
| CC7.1 Configuration Management | Environment variables, no hardcoded secrets |
| CC7.2 Change Management | Git history, audit logs |
- Data Minimization: Only essential data collected
- Right to Erasure: Agent and credential deletion supported
- Encryption: All PII encrypted at rest and in transit
- Audit Trail: Complete logging of data access
- No PII in Logs: Token IDs and sensitive data truncated/hashed
AIM provides JSON Lines format security logs compatible with:
- Splunk
- ELK Stack
- Datadog
- Sumo Logic
- AWS CloudWatch
# Enable security logging
from aim_sdk import configure_security_logging
configure_security_logging()Environment variables:
AIM_SECURITY_LOG_FILE: Path to security log fileAIM_SECURITY_LOG_LEVEL: DEBUG, INFO, WARNING, ERROR, CRITICALAIM_SECURITY_LOG_STDOUT: Include stdout logging (true/false)
- Organizations are strictly isolated at the database level
- API keys are scoped to specific organizations
- Users cannot access resources outside their organization
- All API endpoints require authentication
- Rate limiting prevents abuse
- Input validation prevents injection attacks
- Comprehensive audit logging for compliance
- Trust scores use multiple factors to prevent gaming
- Historical data prevents sudden score manipulation
- ML models are trained on verified data
Security updates are released as soon as fixes are available. Subscribe to:
- GitHub Security Advisories: For critical vulnerabilities
- GitHub Releases: For all security updates
- Mailing List: info@opena2a.org
We follow industry best practices for coordinated vulnerability disclosure:
- Private Disclosure: Report to info@opena2a.org
- Assessment: We evaluate and respond within 48 hours
- Fix Development: We develop and test the fix
- Coordinated Release: We coordinate public disclosure with reporter
- Public Advisory: We publish security advisory after fix deployment
We do not currently have a formal bug bounty program, but we:
- Acknowledge all valid security reports
- Credit researchers in security advisories
- Fast-track security fixes
- May consider rewards for critical vulnerabilities on a case-by-case basis
- Security Issues: info@opena2a.org
- General Security Questions: Discuss in GitHub Discussions
- Emergency Contact: For critical vulnerabilities, mark email as URGENT
We will not pursue legal action against researchers who:
- Follow this disclosure policy
- Act in good faith
- Do not violate privacy or destroy data
- Do not disrupt our services
Thank you for helping keep AIM and our users safe!