If you find a security issue in Hermes-Web, do not open a public issue.
| Repository state | How to report |
|---|---|
| Private (current) | Contact the repository owner directly through GitHub or via the contact method on the owner's profile |
| Public | Use GitHub Security Advisories for responsible disclosure |
- A short description of the issue
- Steps to reproduce
- Potential impact
- A suggested fix, if you have one
| Version | Supported |
|---|---|
| Latest tagged release | Yes |
Current main branch |
Yes, while the current release is active |
| Older tags | No |
- Keep
hermes-agentup to date - Prefer the Rust bridge when available
- Run the bridge on localhost only
- Do not expose port
9120to the public internet - Keep Node.js and dependencies updated
Default ports used by Hermes-Web:
| Port | Service | Exposure |
|---|---|---|
9120 |
Bridge (WebSocket, JSON-RPC) | Localhost only |
5173 |
Vite dev server | Localhost only |
Neither port should be exposed to the public internet in normal use.