Atom is under active development. Security fixes are applied to the latest
main branch and included in the next release.
| Version | Supported |
|---|---|
| latest main | ✅ |
| older releases | ❌ |
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please report security issues responsibly:
- Email security@atomagentos.com with a description of the vulnerability
- Include steps to reproduce (proof of concept if possible)
- We will acknowledge within 48 hours
- We will investigate and provide a fix timeline within 7 days
- Once fixed, we will credit you (unless you prefer to remain anonymous)
Atom includes several security layers:
- BYOK (Bring Your Own Key): API keys are Fernet-encrypted at rest
- Agent Governance: 4-tier maturity system (Student → Autonomous) with human-in-the-loop approval for dangerous actions
- Execution Sandbox: 5-phase isolation (policy, filesystem scope, tripwires, resource caps, provenance tagging)
- Auth: JWT with refresh-token rotation, rate limiting on auth endpoints
- CSRF Protection: Middleware with bypass gated to test environment only
- Input Validation: Message length limits, SQL injection prevention
- You report the vulnerability privately
- We confirm and develop a fix
- Fix is released
- Public disclosure (after fix is available, typically 30-90 days)
Thank you for helping keep Atom secure.