Only the latest tagged release in the v1.* line receives security patches. Pre-release builds (commits past the latest tag, -rc and -beta tags) are unsupported.

Please do not open a public GitHub issue for security vulnerabilities.

Email: security@atelierOS.dev

A PGP public key is available on request — reply to the auto-acknowledgement and we will provide the fingerprint and key material.

• Component affected — e.g. "Forge sandbox (bwrap)", "path-gate hook", "audit chain", "API gateway", specific bridge daemon.
• Steps to reproduce — the minimum sequence required to observe the issue. Include configuration snippets (redact secrets), log excerpts, and OS/runtime version.
• Impact assessment — your view of confidentiality, integrity, and availability impact.
• CVE coordination — if you need a CVE identifier we can request one on your behalf; please mention this in your report.

• Bridge daemons: Discord, Telegram, WhatsApp, Slack, Email, Microsoft Teams, Signal
• Python adapter (operator/bridges/shared/adapter.py and supporting modules)
• Forge sandbox — bwrap confinement, path-gate hook, policy enforcement
• SkillForge linter — prompt-injection detection, secret-leakage checks
• Hash-chained audit log and the voice-audit verify toolchain
• Web console (atelier-console) and API gateway (atelier-admin)
• Consent gate, bot-disclosure card, role/quota enforcement
• Data classification (L34) and egress lockdown (L35) modules
• Erasure orchestrator (L36) and audit-at-rest encryption (L37)

• The upstream Claude CLI binary (claude) — report to Anthropic directly.
• Third-party npm/pip dependencies that have received an upstream fix within the last 30 days — update the dependency and retest first.
• Issues that require physical access to the host machine.
• Social engineering of AtelierOS operators or contributors.
• Issues in your own deployment configuration (misconfigured firewall rules, weak credentials, etc.) that are not caused by AtelierOS defaults.

AtelierOS is built with security as a structural property, not a configuration option. Key controls:

• Whitelist-gated inbox — every inbound message is re-validated against the per-channel whitelist at consume time (TOCTOU-resistant); no message can enter the processing pipeline from an unauthorised sender.
• Path-gate hook (fail-closed) — a PreToolUse hook denies all writes to forge workspaces, audit chains, policy files, and the skill-forge slot mirror; deny is the default on any parse ambiguity.
• bwrap sandbox for Forge tools — runtime-generated tools execute inside a bubblewrap namespace; network access is persona-scoped (denied by default, explicit allow-list for browser/research personas).
• Hash-chained audit log — every security-relevant event is appended to an audit.jsonl file where each entry carries a SHA-256 link to the previous entry; tampering with any entry invalidates the chain; voice-audit verify detects breaks offline.
• Consent gate (deny-by-default) — observer-transcript sharing is opt-in per user, TTL-capped, and re-validated at the point of consumption; no auto-admit shortcut exists.
• Secret vault isolation — credentials declared in Forge tool manifests are resolved from ~/.config/claude-voice/secrets.json (mode 0600) and injected into the bwrap environment; values are never placed in the LLM context, audit chain, or log output.
• Data classification + egress lockdown (L34/L35) — task data is classified by sensitivity before engine dispatch; a declarative egress policy enforces which hosts a given tenant may reach; data_flow.blocked and egress.blocked events are CRITICAL and fail-closed.

AtelierOS follows coordinated disclosure:

1. Reporter submits vulnerability privately to security@atelierOS.dev.
2. We acknowledge within 72 hours and begin triage.
3. A 90-day embargo applies from the date of acknowledgement (shorter for critical issues affecting active deployments, by mutual agreement).
4. We prepare a fix, tag a release, and publish a GitHub Security Advisory simultaneously with or immediately after the tag.
5. Reporter is credited in the advisory unless anonymity is requested.
6. If a fix cannot be delivered within 90 days, we will inform the reporter and agree on a revised timeline or a partial advisory.

We do not offer a bug bounty programme at this time.