If you discover a security vulnerability in Aegis, please report it responsibly:

1. Preferred: Open a GitHub Security Advisory. This keeps the report private until a fix is released.
2. Fallback: Use the Security Vulnerability issue template. Maintainers will move it to a private advisory if needed.
3. Include a description of the vulnerability, steps to reproduce, and potential impact.
4. We will acknowledge receipt within 48 hours and provide a timeline for the fix.

Aegis implements the following security controls:

• Authentication: API key-based auth with optional master token
• Input validation: Path traversal prevention, env var name validation
• SSRF protection: URL scheme and private IP range validation
• Command injection prevention: Port validation, safe exec patterns
• Transport security: Recommended behind HTTPS reverse proxy

Security patches are released as minor/patch versions. We recommend keeping Aegis updated to the latest version.