We provide security updates for the following versions across the HiveLLM ecosystem:
| Project | Version | Supported |
|---|---|---|
| Synap | 1.x.x | ✅ |
| Vectorizer | 1.x.x | ✅ |
| UMICP | 1.x.x | ✅ |
| Nexus | 0.x.x | ✅ |
| Gateway | 0.x.x | ✅ |
| Governance | 0.x.x | ✅ |
| Task Queue | 0.x.x | ✅ |
| Agent Framework | 0.x.x | ✅ |
| All other components | < 0.1 | ❌ |
Note: Pre-1.0 versions receive security updates for the latest minor version only.
Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in any HiveLLM project, please report it by emailing:
Include the following information:
- Affected Project: Which HiveLLM component is affected
- Description: A clear description of the vulnerability
- Impact: What an attacker could accomplish
- Reproduction: Step-by-step instructions to reproduce the issue
- Affected Versions: Which versions are vulnerable
- Environment: Operating system, Rust version, configuration (if relevant)
- Suggested Fix: If you have a fix or mitigation (optional)
- Disclosure Preference: How you'd like to be credited (optional)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 5 business days
- Status Updates: Weekly until resolution
- Fix Timeline: Depends on severity (see below)
- Coordinated Disclosure: After fix is released
| Severity | Response Time | Fix Timeline | Public Disclosure |
|---|---|---|---|
| Critical | 24 hours | 7 days | After patch release |
| High | 48 hours | 14 days | After patch release |
| Medium | 5 days | 30 days | After patch release |
| Low | 10 days | 90 days | After patch release |
Critical:
- Remote code execution (RCE)
- Authentication bypass
- Data breach or exposure
- Privilege escalation to admin/root
High:
- SQL injection
- Cross-site scripting (XSS) with data access
- Denial of Service (DoS) affecting availability
- Cryptographic weaknesses
Medium:
- Information disclosure
- Cross-site request forgery (CSRF)
- Missing security headers
- Insecure defaults
Low:
- Minor information leakage
- Best practice violations
- Low-impact DoS
- Authentication: JWT-based authentication with configurable expiry
- Encryption: TLS 1.2+ for all network communication
- Replication: Secure replication with encrypted channels
- Access Control: Role-based access control (RBAC)
- Rate Limiting: Configurable rate limits per client
# config.yml - Secure production configuration
server:
host: "0.0.0.0"
port: 8080
tls:
enabled: true
cert_path: "/etc/synap/certs/cert.pem"
key_path: "/etc/synap/certs/key.pem"
min_version: "1.2"
auth:
enabled: true
jwt_secret: "${JWT_SECRET}" # Use environment variable
token_expiry: 3600 # 1 hour
refresh_enabled: true
security:
rate_limit:
enabled: true
requests_per_minute: 120
burst: 20
max_connections: 10000
max_request_size: "10MB"
replication:
enabled: true
tls_verify: true
auth_required: true- API Authentication: API key-based authentication
- Input Validation: Strict validation of queries and parameters
- Resource Limits: Query size, result count, timeout limits
- Isolation: Query execution isolation to prevent abuse
# config.yml - Secure configuration
server:
bind: "127.0.0.1:8080" # Bind to localhost, use reverse proxy
auth:
api_key_header: "X-API-Key"
require_auth: true
limits:
max_query_length: 1000
max_results: 100
query_timeout_ms: 30000
max_concurrent_queries: 100
security:
content_security_policy: true
cors:
enabled: true
allowed_origins: ["https://yourdomain.com"]- mTLS: Mutual TLS authentication between clients and servers
- Message Signing: Cryptographic signatures for message integrity
- Encryption: End-to-end encryption for sensitive payloads
- Authorization: Fine-grained permission system
# config.yml - Secure UMICP configuration
server:
tls:
enabled: true
mutual_tls: true
cert_path: "/etc/umicp/certs/server.crt"
key_path: "/etc/umicp/certs/server.key"
ca_path: "/etc/umicp/certs/ca.crt"
security:
message_signing: true
require_encryption: true
max_message_size: "50MB"- Request Validation: Schema validation for all requests
- Authentication: Multiple auth methods (JWT, API Key, OAuth2)
- Rate Limiting: Per-client and global rate limits
- WAF: Basic web application firewall features
// gateway.config.ts
export default {
auth: {
methods: ['jwt', 'apikey'],
jwtSecret: process.env.JWT_SECRET,
tokenExpiry: '1h',
},
security: {
rateLimiting: {
enabled: true,
windowMs: 60000, // 1 minute
maxRequests: 100,
},
helmet: true, // Enable Helmet.js security headers
cors: {
origin: ['https://yourdomain.com'],
credentials: true,
},
},
};- Role-Based Access: Hierarchical role and permission system
- Audit Logging: Complete audit trail of all actions
- Proposal Security: Cryptographic verification of proposals
- Vote Integrity: Tamper-proof voting system
- Keep Updated: Always use the latest stable version
- Strong Credentials: Use strong, unique passwords and API keys
- TLS Everywhere: Enable TLS for all production deployments
- Network Security: Restrict network access with firewalls
- Monitoring: Monitor logs for suspicious activity
- Regular Backups: Maintain encrypted backups
- Least Privilege: Grant minimal necessary permissions
- Security Audits: Regular security reviews and penetration testing
- Code Review: All code changes require security-focused review
- Dependency Audit: Run
cargo auditbefore every commit - No Secrets: Never commit secrets, credentials, or private keys
- Safe Coding: Follow Rust security best practices
- Input Validation: Always validate and sanitize input
- Error Handling: Handle errors securely without leaking information
- Testing: Include security tests for new features
- Documentation: Document security implications of changes
# Check for security advisories
cargo audit
# Update dependencies
cargo update
# Check for outdated dependencies
cargo outdated
# Verify dependency checksums
cargo verify-project# Check for vulnerabilities
npm audit
pnpm audit
# Update dependencies
npm update
pnpm update
# Check for outdated packages
npm outdated
pnpm outdatedAll projects use automated dependency scanning:
- Dependabot: Automated dependency updates
- GitHub Security Advisories: Vulnerability alerts
- cargo-audit: Daily Rust dependency scans
- npm audit: Daily Node.js dependency scans
- ✅ Use TLS 1.2+ for all external connections
- ✅ Enable mutual TLS (mTLS) for service-to-service communication
- ✅ Use reverse proxy (nginx, Caddy, Traefik) with security headers
- ✅ Implement rate limiting at multiple layers
- ✅ Use DDoS protection (Cloudflare, AWS Shield, etc.)
- ✅ Restrict access by IP whitelist when possible
- ✅ Use private networks for internal services
- ✅ Enable logging and monitoring
- ✅ Use secrets management (HashiCorp Vault, AWS Secrets Manager)
- ✅ Implement proper CORS policies
# /etc/nginx/sites-available/hivellm
upstream synap_backend {
server 127.0.0.1:8080;
keepalive 32;
}
server {
listen 443 ssl http2;
server_name api.hivellm.org;
# SSL Configuration
ssl_certificate /etc/letsencrypt/live/api.hivellm.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.hivellm.org/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5:!3DES;
ssl_prefer_server_ciphers on;
# Security Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Rate Limiting
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
limit_req zone=api_limit burst=20 nodelay;
limit_req_status 429;
# Request Size Limits
client_max_body_size 10M;
client_body_buffer_size 10M;
# Proxy Configuration
location / {
proxy_pass http://synap_backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
# Timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
}
# Redirect HTTP to HTTPS
server {
listen 80;
server_name api.hivellm.org;
return 301 https://$server_name$request_uri;
}# Use specific version tags
FROM rust:1.85-slim as builder
# Run as non-root user
RUN useradd -m -u 1000 appuser
# Build stage
WORKDIR /app
COPY Cargo.toml Cargo.lock ./
COPY src ./src
RUN cargo build --release
# Runtime stage
FROM debian:bookworm-slim
# Install security updates
RUN apt-get update && \
apt-get upgrade -y && \
apt-get install -y --no-install-recommends ca-certificates && \
rm -rf /var/lib/apt/lists/*
# Create non-root user
RUN useradd -m -u 1000 appuser
# Copy binary
COPY --from=builder /app/target/release/synap /usr/local/bin/
RUN chown appuser:appuser /usr/local/bin/synap
# Switch to non-root user
USER appuser
# Expose port
EXPOSE 8080
# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD curl -f http://localhost:8080/health || exit 1
# Run application
ENTRYPOINT ["synap"]# docker-compose.yml
version: '3.8'
services:
synap:
image: hivellm/synap:1.0.0
restart: unless-stopped
# Security options
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
# Resource limits
deploy:
resources:
limits:
cpus: '2'
memory: 2G
# Secrets
secrets:
- jwt_secret
- tls_cert
- tls_key
# Environment from file
env_file:
- .env.production
# Network
networks:
- internal
# Volumes
volumes:
- synap_data:/data:rw
- /tmp:/tmp:rw
networks:
internal:
driver: bridge
internal: true
volumes:
synap_data:
driver: local
secrets:
jwt_secret:
file: ./secrets/jwt_secret.txt
tls_cert:
file: ./secrets/tls_cert.pem
tls_key:
file: ./secrets/tls_key.pem- ✅ Use environment variables for secrets
- ✅ Use secrets management systems (Vault, AWS Secrets Manager)
- ✅ Rotate secrets regularly (at least quarterly)
- ✅ Never commit secrets to version control
- ✅ Use
.gitignoreto prevent accidental commits - ✅ Encrypt secrets at rest
- ✅ Use principle of least privilege for secret access
# .env.production (never commit this file)
JWT_SECRET=your-strong-random-secret-here
DATABASE_URL=postgresql://user:pass@localhost/db
API_KEY=your-api-key-here
TLS_CERT_PATH=/etc/hivellm/certs/cert.pem
TLS_KEY_PATH=/etc/hivellm/certs/key.pem# Secrets
.env
.env.*
!.env.example
*.key
*.pem
*.crt
secrets/
config/*.secret.*
# Credentials
credentials.json
auth.jsonLog the following security-relevant events:
- ✅ Authentication attempts (success/failure)
- ✅ Authorization failures
- ✅ API rate limit violations
- ✅ Configuration changes
- ✅ Unusual access patterns
- ✅ Error conditions
- ✅ Administrative actions
- ✅ Data access and modifications
- ✅ Implement log rotation
- ✅ Define retention policies (minimum 90 days)
- ✅ Restrict log access
- ✅ Encrypt sensitive logs
- ✅ Never log passwords, tokens, or keys
- ✅ Sanitize user input in logs
# logging.yml
logging:
level: info
format: json
security:
enabled: true
log_auth_attempts: true
log_failures: true
log_admin_actions: true
rotation:
max_size: "100MB"
max_age: 90
max_backups: 10
compress: true
outputs:
- type: file
path: "/var/log/hivellm/security.log"
- type: syslog
network: tcp
address: "syslog.example.com:514"- Detection: Identify security incident
- Containment: Isolate affected systems
- Eradication: Remove threat and vulnerabilities
- Recovery: Restore normal operations
- Post-Incident: Review and improve
- Security Team: team@hivellm.org
- Emergency: For critical incidents, email with subject "SECURITY EMERGENCY"
We follow Coordinated Vulnerability Disclosure:
- Private Report: Report to team@hivellm.org
- Acknowledgment: We acknowledge receipt within 48 hours
- Assessment: We assess and confirm the vulnerability within 5 days
- Fix Development: We develop and test a fix
- Security Release: We release a security update
- Public Disclosure: We publish a security advisory
- Recognition: We credit the reporter (if desired)
We request that security researchers:
- ✅ Report vulnerabilities privately before public disclosure
- ✅ Allow reasonable time for fixing (90 days standard)
- ✅ Avoid exploiting vulnerabilities beyond proof-of-concept
- ✅ Do not access, modify, or delete user data
- ✅ Do not perform DoS attacks
We recognize security researchers who responsibly disclose vulnerabilities:
- No security disclosures yet
- SOC 2 Type II (planned for 2025)
- ISO 27001 (planned for 2026)
- GDPR-ready data handling
- CCPA compliance for California users
- Open source license compliance
/docs/ecosystem/SECURITY_ARCHITECTURE.md- Security architecture- Component-specific security docs in each project's
/docsdirectory
Security updates are released as patch versions following semantic versioning:
- Critical: Immediate release with security advisory
- High: Released within 7 days
- Medium: Included in next minor release
- Low: Included in next major release
- GitHub Security Advisories
- Mailing list: security-announce@hivellm.org (subscribe via website)
- Release notes in CHANGELOG.md
- Twitter: @hivellm (security announcements tagged #security)
Last Updated: October 2024
Version: 1.0.0
For security questions or to report vulnerabilities: team@hivellm.org