We use GitHub Security Advisories for coordinated disclosure. To report a vulnerability:
- Email: Send a report to security@vcav.io
- GitHub: Go to the Security Advisories page, click "Report a vulnerability", and provide a description of the issue, steps to reproduce, and any relevant context
Please do not open a public issue for security vulnerabilities.
The following components are in scope for security reports:
- agentvault-relay — session lifecycle, token authentication, schema validation, guardian policy enforcement, receipt signing, prompt assembly
- agentvault-client — HTTP client, contract hashing, session state handling
- agentvault-mcp-server — MCP tool dispatch, AFAL transport, session file persistence
- schemas/ — input payload schemas used for output validation
- Vulnerabilities in upstream dependencies (report those to the upstream project)
- Denial of service via resource exhaustion (the relay is designed for trusted operator deployment, not public internet exposure)
We aim to acknowledge reports within 72 hours and provide a fix or mitigation plan within 14 days for confirmed vulnerabilities.