| Version | Supported |
|---|---|
| 1.0.x | Yes |
Do not open a public GitHub issue for security vulnerabilities.
Email: contact@vplsolutions.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix if you have one
You will receive a response within 72 hours. If the vulnerability is confirmed, a fix will be prioritized and a CVE requested if applicable.
AgentBond is an MCP delegation enforcement library. Security issues in scope:
- Token forgery or bypass of the 4-rule enforcement chain
- HMAC-SHA256 key exposure or weaknesses
- Re-delegation enforcement failures
- Audit log integrity issues
- Dependency vulnerabilities in production packages
Out of scope: test-only dependencies, local dev tooling, documentation issues.
See ADR-001 (Related Prior Art) and ADR-002 (Alternatives Considered) for documented constraints:
- HMAC-SHA256 symmetric key — no revocation support in MVP
- No identity provider integration — token issuer is not authenticated externally
- In-memory audit log — not durable across restarts
These are architectural decisions, not vulnerabilities. Future ADRs govern extensions.