| Version | Supported |
|---|---|
| 1.7.x | Yes |
| < 1.7 | No |
Please do NOT open public issues for security vulnerabilities.
If you discover a security vulnerability in AgentOS, please report it responsibly:
- Email: Send details to security@lucas-futures.com
- Subject:
[AgentOS Security] Brief description - Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Action | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 5 business days |
| Fix development | Depends on severity |
| Public disclosure | After fix is released |
The following are in scope for security reports:
- API key exposure — Any path where API keys could leak (logs, crash reports, network traffic)
- Channel authentication bypass — Circumventing Telegram/Discord/LINE allow-lists
- Tool execution without consent — Bypassing PrivacyHook for sensitive operations
- MCP server spoofing — MITM or injection via MCP connections
- Data exfiltration — Unauthorized access to on-device data (photos, contacts, files)
- Relay worker vulnerabilities — Issues in the Cloudflare Worker relay infrastructure
- Webhook verification bypass — Bypassing Ed25519/HMAC-SHA256 signature verification
- Vulnerabilities in third-party services (Anthropic API, Telegram API, etc.)
- Issues requiring physical access to an unlocked device
- Social engineering attacks
- Denial of service via rate limiting exhaustion (rate limiter is already in place)
AgentOS follows these security principles:
- Keychain-only storage — API keys and tokens are stored exclusively in iOS Keychain
- Fail-closed channel auth — Channels reject messages from non-allowlisted sources by default
- HTTPS-only MCP — No plaintext MCP connections allowed
- PrivacyHook gating — Sensitive tools (Drive uploads, Gmail sends, GitHub writes, contacts, BLE, HomeKit) require explicit user permission
- ConstitutionHook — Constitutional AI guardrails prevent harmful tool use patterns
- Webhook verification — All incoming webhooks are cryptographically verified
- Token-bucket rate limiting — Prevents API abuse
We appreciate security researchers who help keep AgentOS safe. Contributors who report valid vulnerabilities will be acknowledged in release notes (with permission).