|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +Given the early stage of the project, we currently only support the latest version with security updates: |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| ------- | ------------------ | |
| 9 | +| 0.0.x | :white_check_mark: | |
| 10 | +| < 0.0.1 | :x: | |
| 11 | + |
| 12 | +## Reporting a Vulnerability |
| 13 | + |
| 14 | +We take the security of Eliza seriously. If you believe you have found a security vulnerability, please report it to us following these steps: |
| 15 | + |
| 16 | +### Private Reporting Process |
| 17 | + |
| 18 | +1. **DO NOT** create a public GitHub issue for the vulnerability |
| 19 | +2. Send an email to security@eliza.builders with: |
| 20 | + - A detailed description of the vulnerability |
| 21 | + - Steps to reproduce the issue |
| 22 | + - Potential impact of the vulnerability |
| 23 | + - Any possible mitigations you've identified |
| 24 | + |
| 25 | +### What to Expect |
| 26 | + |
| 27 | +- **Initial Response**: Within 48 hours, you will receive an acknowledgment of your report |
| 28 | +- **Updates**: We will provide updates every 5 business days about the progress |
| 29 | +- **Resolution Timeline**: We aim to resolve critical issues within 15 days |
| 30 | +- **Disclosure**: We will coordinate with you on the public disclosure timing |
| 31 | + |
| 32 | +## Security Best Practices |
| 33 | + |
| 34 | +### For Contributors |
| 35 | + |
| 36 | +1. **API Keys and Secrets** |
| 37 | + - Never commit API keys, passwords, or other secrets to the repository |
| 38 | + - Use environment variables as described in our secrets management guide |
| 39 | + - Rotate any accidentally exposed credentials immediately |
| 40 | + |
| 41 | +2. **Dependencies** |
| 42 | + - Keep all dependencies up to date |
| 43 | + - Review security advisories for dependencies regularly |
| 44 | + - Use `pnpm audit` to check for known vulnerabilities |
| 45 | + |
| 46 | +3. **Code Review** |
| 47 | + - All code changes must go through pull request review |
| 48 | + - Security-sensitive changes require additional review |
| 49 | + - Enable branch protection on main branches |
| 50 | + |
| 51 | +### For Users |
| 52 | + |
| 53 | +1. **Environment Setup** |
| 54 | + - Follow our [secrets management guide](docs/guides/secrets-management.md) for secure configuration |
| 55 | + - Use separate API keys for development and production |
| 56 | + - Regularly rotate credentials |
| 57 | + |
| 58 | +2. **Model Provider Security** |
| 59 | + - Use appropriate rate limiting for API calls |
| 60 | + - Monitor usage patterns for unusual activity |
| 61 | + - Implement proper authentication for exposed endpoints |
| 62 | + |
| 63 | +3. **Platform Integration** |
| 64 | + - Use separate bot tokens for different environments |
| 65 | + - Implement proper permission scoping for platform APIs |
| 66 | + - Regular audit of platform access and permissions |
| 67 | + |
| 68 | +## Security Features |
| 69 | + |
| 70 | +### Current Implementation |
| 71 | + |
| 72 | +- Environment variable based secrets management |
| 73 | +- Type-safe API implementations |
| 74 | +- Automated dependency updates via Renovate |
| 75 | +- Continuous Integration security checks |
| 76 | + |
| 77 | +### Planned Improvements |
| 78 | + |
| 79 | +1. **Q4 2024** |
| 80 | + - Automated security scanning in CI pipeline |
| 81 | + - Enhanced rate limiting implementation |
| 82 | + - Improved audit logging |
| 83 | + |
| 84 | +2. **Q1 2025** |
| 85 | + - Security-focused documentation improvements |
| 86 | + - Enhanced platform permission management |
| 87 | + - Automated vulnerability scanning |
| 88 | + |
| 89 | +## Vulnerability Disclosure Policy |
| 90 | + |
| 91 | +We follow a coordinated disclosure process: |
| 92 | + |
| 93 | +1. Reporter submits vulnerability details |
| 94 | +2. Our team validates and assesses the report |
| 95 | +3. We develop and test a fix |
| 96 | +4. Fix is deployed to supported versions |
| 97 | +5. Public disclosure after 30 days or by mutual agreement |
| 98 | + |
| 99 | +## Recognition |
| 100 | + |
| 101 | +We believe in recognizing security researchers who help improve our security. Contributors who report valid security issues will be: |
| 102 | + |
| 103 | +- Credited in our security acknowledgments (unless they wish to remain anonymous) |
| 104 | +- Added to our security hall of fame |
| 105 | +- Considered for our bug bounty program (coming soon) |
| 106 | + |
| 107 | +## License Considerations |
| 108 | + |
| 109 | +As an MIT licensed project, users should understand: |
| 110 | + |
| 111 | +- The software is provided "as is" |
| 112 | +- No warranty is provided |
| 113 | +- Users are responsible for their own security implementations |
| 114 | +- Contributors grant perpetual license to their contributions |
| 115 | + |
| 116 | +## Contact |
| 117 | + |
| 118 | +- Security Issues: security@eliza.builders |
| 119 | +- General Questions: Join our [Discord](https://discord.gg/ai16z) |
| 120 | +- Updates: Follow our [security advisory page](https://github.com/ai16z/eliza/security/advisories) |
0 commit comments