If you discover a security vulnerability in OpenFang, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

1. Email: security@openfang.ai
2. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Affected versions
   • Potential impact assessment
   • Suggested fix (if any)

• Acknowledgment within 48 hours
• Initial assessment within 7 days
• Fix timeline communicated within 14 days
• Credit given in the advisory (unless you prefer anonymity)

The following are in scope for security reports:

• Authentication/authorization bypass
• Remote code execution
• Path traversal / directory traversal
• Server-Side Request Forgery (SSRF)
• Privilege escalation between agents or users
• Information disclosure (API keys, secrets, internal state)
• Denial of service via resource exhaustion
• Supply chain attacks via skill ecosystem
• WASM sandbox escapes

OpenFang implements defense-in-depth with the following security controls:

• Capability-based permissions: Agents only access resources explicitly granted
• RBAC multi-user: Owner/Admin/User/Viewer role hierarchy
• Privilege escalation prevention: Child agents cannot exceed parent capabilities
• API authentication: Bearer token with loopback bypass for local CLI

• Path traversal protection: safe_resolve_path() / safe_resolve_parent() on all file operations
• SSRF protection: Private IP blocking, DNS resolution checks, cloud metadata endpoint filtering
• Image validation: Media type whitelist (png/jpeg/gif/webp), 5MB size limit
• Prompt injection scanning: Skill content scanned for override attempts and data exfiltration

• Ed25519 signed manifests: Agent identity verification
• HMAC-SHA256 wire protocol: Mutual authentication with nonce-based replay protection
• Secret zeroization: Zeroizing<String> on all API key fields, wiped on drop

• WASM dual metering: Fuel limits + epoch interruption with watchdog thread
• Subprocess sandbox: Environment isolation (env_clear()), restricted PATH
• Taint tracking: Information flow labels prevent untrusted data in privileged operations

• GCRA rate limiter: Cost-aware token buckets per IP
• Security headers: CSP, X-Frame-Options, X-Content-Type-Options, HSTS
• Health redaction: Public endpoint returns minimal info; full diagnostics require auth
• CORS policy: Restricted to localhost when no API key configured

• Merkle hash chain: Tamper-evident audit trail for all agent actions
• Tamper detection: Chain integrity verification via /api/audit/verify

Security-critical dependencies are pinned and audited: