Security updates will be provided for the following versions:
| Version | Supported |
|---|---|
| 0.1.x | Yes |
| < 0.1 | No |
We take the security of HORUS seriously. If you discover a security issue, please report it responsibly.
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please open a private security advisory via GitHub:
- Go to the repository's Security tab
- Click "Report a vulnerability"
- Fill out the private advisory form
When reporting a security issue, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Affected versions
- Potential impact
- Any suggested fixes (optional)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Varies based on severity and complexity
We follow responsible disclosure practices:
- You report the issue privately
- We confirm receipt and begin investigation
- We develop and test a fix
- We release the fix and publish a security advisory
- You receive credit in the advisory (if desired)
When using HORUS in production:
- Keep HORUS updated to the latest version
- Review and validate all packages before installation
- Use authentication for registry operations
- Limit access to shared memory regions (
/dev/shm/horus/) - Monitor system logs for unusual activity
- Follow principle of least privilege for node permissions
This security policy covers:
- HORUS core framework (horus_core)
- HORUS CLI tool (horus_manager)
- Official language bindings (horus_py)
- HORUS package registry and marketplace
Third-party packages in the HORUS ecosystem are the responsibility of their respective maintainers.
HORUS includes the following security features:
- Memory Safety: Rust's ownership system prevents memory corruption
- Type Safety: Fixed-size message structures prevent buffer overflows
- Process Isolation: Shared memory with proper permissions
- Authentication: GitHub OAuth for package publishing
- Package Verification: Manifest validation and checksum verification
We appreciate the security research community's efforts to improve HORUS. Security researchers who responsibly disclose vulnerabilities will be acknowledged in our security advisories (with permission).