| Version | Supported |
|---|---|
| latest | Yes |
Please do NOT open a public GitHub issue for security vulnerabilities.
Instead, please use GitHub Security Advisories to report vulnerabilities privately.
Please include:
- Description of the vulnerability
- Steps to reproduce
- Affected component(s)
- Impact assessment (if possible)
- Acknowledgement: within 48 hours
- Initial assessment: within 7 days
- Fix or mitigation: depends on severity, typically within 30 days
Hermes Agency has several distinct trust boundaries. Understanding them helps you assess impact and report issues accurately.
The Agency plugin and pool manager route tasks to staff agents, attempt wake for offline specialists, and queue work persistently. A compromised pool manager could misroute tasks or exhaust agent wake budgets. Lifecycle tools must validate profile names and process ownership before signaling host processes.
Staff agents execute delegated tasks with access to their configured tools and model providers. Defaults are conservative:
allow_remote_tasks: falseincoming.tool_access: safe- empty peer allowlist means deny (unless explicitly configured otherwise)
Incoming work must pass allowlist and trust verification. Prefer transport-authenticated sender identity over arbitrary task metadata.
Keryx provides daemon, relay, registry, mailbox, routing, claim-next worker dispatch, and terminal result/artifact return. Peer communication uses encrypted transport primitives owned by the Keryx runtime. Compromising the relay or registry could allow traffic analysis or service disruption; see the hermes-keryx security guidance for runtime-specific details.
AgentAnycast under src/agentanycast/ is retained for explicit legacy/fallback deployments only (agency.transport_backend: agentanycast). Do not treat it as the recommended production path. Legacy daemon download/verification behavior, when used, must follow AgentAnycast verification guidance.
Pool management HTTP and local APIs should bind to loopback by default. Non-loopback binds require authentication (for example HERMES_POOL_TOKEN). State-changing endpoints must require authentication.
Each agent has a configured model set and tool set. The agency restricts which tools and models an agent can access based on its role and configuration. An agent should not be able to escalate beyond its assigned tool or model scope.
Remote-visible progress, artifacts, and error summaries should not include secrets, credential-bearing URLs, private keys, or local absolute paths. Detailed raw diagnostics stay local.
We follow coordinated disclosure. We will work with you to understand and address the issue before any public disclosure.
We appreciate responsible disclosure and will credit reporters (with permission) in release notes.