Do not open a public issue for security vulnerabilities.
Please report security issues by emailing the maintainers directly or using GitHub's private vulnerability reporting.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and aim to release a fix within 7 days for critical issues.
Aegis is a governance layer — it is security-critical by nature. The following are in scope:
- Policy bypass (action executes despite being blocked)
- Audit log tampering or omission
- Approval gate bypass
- Injection via action params or policy YAML
| Version | Supported |
|---|---|
| 0.5.x | Yes |
| 0.4.x | Yes |
| 0.3.x | Security fixes only |
| < 0.3 | No |
- Threat Model — 8 threat categories with mitigations
- OWASP Agentic Mapping — Coverage of OWASP Top 10 for Agentic Applications
- Audit Readiness — Independent audit preparation