Note: Orion Agent is currently in beta. Security reports are taken seriously regardless of release stage.
| Version | Supported |
|---|---|
| 7.x.x (beta) | Yes |
| < 7.0 | No |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
Include "SECURITY" in the subject line.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and provide a detailed response within 7 days.
Orion implements multiple security layers:
- AEGIS Governance -- Hardened security gate with 6 invariants
- Workspace Confinement -- Operations cannot escape project directory
- Mode Enforcement -- Graduated permissions system (safe/pro/project)
- Credential Encryption -- API keys encrypted at rest via SecureStore
- Audit Logging -- All security-relevant events logged
- External Access Control -- Network operations require approval for writes
- Code Sandbox -- Docker-isolated execution environment
See docs/SECURITY.md for complete security documentation. See docs/AEGIS.md for governance system documentation.
We follow responsible disclosure:
- Reporter submits vulnerability
- We acknowledge and investigate
- We develop and test fix
- We release fix and credit reporter (if desired)
- We publish advisory after users have time to update
| Severity | Definition | Target Response |
|---|---|---|
| Critical | Remote code execution, credential exposure | 24 hours |
| High | Privilege escalation, path traversal bypass | 72 hours |
| Medium | Information disclosure, denial of service | 7 days |
| Low | Minor hardening suggestions | Next release |