| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take the security of NOESIS seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
security@noesis.dev (or juancarlos@noesis.dev)
Please include the following information:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the issue
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Acknowledgment: We will acknowledge your email within 48 hours
- Assessment: We will assess the vulnerability within 7 days
- Updates: We will keep you informed of our progress
- Resolution: We aim to resolve critical issues within 30 days
- Credit: We will credit you in our security advisories (unless you prefer anonymity)
We prefer all communications to be in English or Portuguese.
- No persistent storage of sensitive user data without encryption
- API keys and secrets are never committed to the repository
- Environment variables are used for all configuration
- .env files are gitignored
- JWT tokens with short expiration for API authentication
- Role-based access control for administrative functions
- Rate limiting on all public endpoints
NOESIS implements multiple safety layers:
- Kill Switch: Emergency shutdown capability
- Threshold Monitor: Anomaly detection for consciousness metrics
- Ethical Tribunal: All actions pass through VERITAS, SOPHIA, DIKÉ judges
- HITL Override: Human-in-the-loop can override any decision
- Static analysis with bandit and safety
- Dependency scanning for known vulnerabilities
- Type checking with mypy to prevent runtime errors
- Input validation on all external inputs
- API keys or tokens
- Passwords or secrets
- Private keys (.pem, .key)
- .env files (use .env.example as template)
- Credentials of any kind
- Use environment variables for configuration
- Validate and sanitize all inputs
- Use parameterized queries (no SQL injection)
- Follow the principle of least privilege
- Log security-relevant events
- No hardcoded credentials
- Input validation present
- Error messages don't leak sensitive info
- Authentication/authorization checked
- Logging doesn't include sensitive data
We follow a coordinated disclosure process:
- Report received and acknowledged
- Vulnerability confirmed and severity assessed
- Fix developed and tested
- Fix deployed to production
- Public disclosure (typically 90 days after report, or sooner if fix is deployed)
Security updates are released as:
- Critical: Immediate patch release
- High: Within 7 days
- Medium: Within 30 days
- Low: Next regular release
Subscribe to our security advisories by watching this repository.
- Security issues: security@noesis.dev
- General inquiries: juancarlos@noesis.dev
- GitHub Security Advisories: Repository Security Tab
We thank the following individuals for responsibly disclosing security issues:
No reports yet - be the first!
Thank you for helping keep NOESIS and its users safe!