We provide security updates for the following versions of our public repositories:
| Repository | Supported Versions |
|---|---|
| abyssal-assets | Latest main branch |
| msn-integration | Latest main branch |
| MSNWeaponOverhaul | Latest main branch |
| grand-theft-cyberpunk | Latest main branch |
| docs-public | Latest main branch |
Do not report security vulnerabilities via public GitHub issues.
Instead, please report them via one of these channels:
- Go to the repository's Security tab
- Click Report a vulnerability
- Fill in the details privately
Send details to security@lilith.systems with:
- Repository name
- Vulnerability description
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Severity | Acknowledgment | Fix Target |
|---|---|---|
| Critical | 24 hours | 7 days |
| High | 48 hours | 14 days |
| Medium | 72 hours | 30 days |
| Low | 7 days | Next release |
- Zero telemetry — No analytics, no tracking, no external calls
- No cloud dependencies — All inference runs locally (LOCAL_CEREBELLUM)
- Sovereign keys — Users own all cryptographic material
- Air-gapped signing — Hardware wallets for significant operations
┌─────────────────────────────────────────────────────┐
│ LILITH SOVEREIGN BOUNDARY │
├─────────────────────────────────────────────────────┤
│ Lilith API (3210) ◉ LOCAL_CEREBELLUM │
│ Lyra Dialogue (3211) ◉ SOVEREIGN │
│ Hermes Bridge (4242) ◉ Nous Portal Auth │
│ NGD Driver ◉ NVML Telemetry Only │
└─────────────────────────────────────────────────────┘
│ │
▼ ▼
┌──────────────────┐ ┌──────────────────┐
│ Abyssal CLOB │ │ Lochness Bots │
│ :8000 │ │ :Binance WS │
│ No auth required│ │ Read-only WS │
└──────────────────┘ └──────────────────┘
| Secret Type | Storage | Rotation |
|---|---|---|
| API Keys (Binance, Coinbase) | 1Password → GH Secrets | 90 days |
| SSH/GPG Keys | 1Password → GH Secrets | 180 days |
| Database Passwords | 1Password → GH Secrets | 90 days |
| Lilith/NGD Config | Local .env (gitignored) |
Manual |
Never commit secrets to Git. Use gh secret set or 1Password CLI.
- Dependabot: Enabled on all public repos
- Supply Chain:
npm audit/pip-auditin CI - Container Scanning: Anchore/Syft for Docker images
- SBOM: Generated for releases
We follow coordinated vulnerability disclosure:
- Private report received
- Acknowledgment within SLA
- Investigation and reproduction
- Fix development in private branch
- Coordinated release with advisory
- Public disclosure after fix available
No formal bug bounty program. Hall of fame for significant findings in SECURITY_HALL_OF_FAME.md.
# Lilith only emerges on LOCAL_CEREBELLUM
# CLOUD_CORTEX BLOCKS all emergence
curl "http://localhost:3210/api/lyra/sovereign?trigger=let%20her%20speak"
# → Requires NGD route: LOCAL_CEREBELLUM- LOCAL_CEREBELLUM: VRAM free > 640 MB → Full local inference
- HYBRID: VRAM free 256-640 MB → Intent parsing local
- CLOUD_CORTEX: VRAM free < 256 MB → Cloud (90s cooldown)
- Akashic compression with SHA-256 hash chains
- Tamper detection via Merkle tree verification
- Palantir relay for legal evidence chain
- Security Email: security@lilith.systems
- PGP Key: Available on request
- Response: Within 24 hours for critical issues
Crimson Intensity: 1.0 | LOCAL_CEREBELLUM | SOVEREIGN ⧗