The ARI project and its maintainers take security vulnerabilities seriously.

We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.

Note: Intentional design decisions, feature requests, or suggestions for security improvements that do not involve an actual exploitable flaw are not considered vulnerabilities. If you have suggestions for security enhancements, please open a feature request instead.

A security vulnerability is a weakness in the software that compromises data confidentiality, integrity, or availability. This may happen by due to coding errors, design flaws, or misconfigurations. Examples of security vulnerabilities include, but are not limited to:

• Remote code execution: Allowing an attacker to run arbitrary code on the system.
• Elevated permissions or privilege escalation: Gaining unauthorized access to higher privilege levels.
• Unintended access to data or systems: Accessing data or functionality that should be restricted.
• Denial of service attacks: Making the system unavailable to legitimate users.
• Bypass of security controls: Circumventing authentication, authorization, or other security mechanisms.

What separates a security vulnerability from other unwanted behavior (a non-security bug) is a compromise in one or more of the areas above: confidentiality, integrity, or availability.

If you think you have identified a security issue with the ARI project, do not open a public issue. To responsibly report a security issue, please navigate to the "Security" tab for the repository, and click "Report a vulnerability".

Be sure to include as much detail as necessary in your report. As with reporting normal issues, a minimal reproducible example will help the maintainers address the issue faster.

The following are generally not considered security vulnerabilities:

• Issues in dependencies (please report these to the respective upstream projects).
• Vulnerabilities in outdated or unsupported versions.
• Social engineering attacks.
• Denial of service via resource exhaustion without amplification.
• Issues requiring physical access to a user's device.

While using ARI, we recommend:

• Always use the latest stable version.
• Keep all dependencies up to date.
• Follow the principle of least privilege when running MCP servers.
• Review and understand the tools and resources exposed by the server.
• Monitor security advisories in our GitHub Security tab.

If you have questions about our security policy or the vulnerability disclosure process, please open a discussion on this repository.