Currently Holo is not yet ready to be used in any corporate evnvironment.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
Process will be created.
Please do not open a public issue for security vulnerabilities.
- Acknowledgement: We will acknowledge receipt within a week. hours.
- Assessment: We will assess the vulnerability and determine its impact.
- Fix: We will work on a fix and coordinate disclosure with you.
- Disclosure: Once a fix is available, we will publish a security advisory.
The following are in scope for security reports:
- The Holo extractor pipeline (
src/extractor/) - The MCP server (
src/mcp-server/) - The Holo local runner (
holo.py) - The dashboard (
dashboard/) — XSS, injection, etc.
- Regulatory documents in
regulations/(third-party content) - Issues in upstream dependencies (report those to the respective projects)
Holo uses API keys for LLM providers (OpenAI, Anthropic). These should:
- Never be committed to version control
- Be stored in environment variables or
.envfiles (which are.gitignored) - Not be logged or displayed in output