Skip to content

Security: DeployFaith/Hermes_Agency

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
latest Yes

Reporting a Vulnerability

Please do NOT open a public GitHub issue for security vulnerabilities.

Instead, please use GitHub Security Advisories to report vulnerabilities privately.

Please include:

  1. Description of the vulnerability
  2. Steps to reproduce
  3. Affected component(s)
  4. Impact assessment (if possible)

Response Timeline

  • Acknowledgement: within 48 hours
  • Initial assessment: within 7 days
  • Fix or mitigation: depends on severity, typically within 30 days

Security Boundaries

Hermes Agency has several distinct trust boundaries. Understanding them helps you assess impact and report issues accurately.

Hermes Agency plugin and pool

The Agency plugin and pool manager route tasks to staff agents, attempt wake for offline specialists, and queue work persistently. A compromised pool manager could misroute tasks or exhaust agent wake budgets. Lifecycle tools must validate profile names and process ownership before signaling host processes.

Remote task execution

Staff agents execute delegated tasks with access to their configured tools and model providers. Defaults are conservative:

  • allow_remote_tasks: false
  • incoming.tool_access: safe
  • empty peer allowlist means deny (unless explicitly configured otherwise)

Incoming work must pass allowlist and trust verification. Prefer transport-authenticated sender identity over arbitrary task metadata.

Keryx transport (primary)

Keryx provides daemon, relay, registry, mailbox, routing, claim-next worker dispatch, and terminal result/artifact return. Peer communication uses encrypted transport primitives owned by the Keryx runtime. Compromising the relay or registry could allow traffic analysis or service disruption; see the hermes-keryx security guidance for runtime-specific details.

AgentAnycast (legacy fallback)

AgentAnycast under src/agentanycast/ is retained for explicit legacy/fallback deployments only (agency.transport_backend: agentanycast). Do not treat it as the recommended production path. Legacy daemon download/verification behavior, when used, must follow AgentAnycast verification guidance.

Management endpoints

Pool management HTTP and local APIs should bind to loopback by default. Non-loopback binds require authentication (for example HERMES_POOL_TOKEN). State-changing endpoints must require authentication.

Model and tool access

Each agent has a configured model set and tool set. The agency restricts which tools and models an agent can access based on its role and configuration. An agent should not be able to escalate beyond its assigned tool or model scope.

Outbound remote content

Remote-visible progress, artifacts, and error summaries should not include secrets, credential-bearing URLs, private keys, or local absolute paths. Detailed raw diagnostics stay local.

Disclosure Policy

We follow coordinated disclosure. We will work with you to understand and address the issue before any public disclosure.

Recognition

We appreciate responsible disclosure and will credit reporters (with permission) in release notes.

There aren't any published security advisories