| Repository | Supported |
|---|---|
| cerid-ai (latest main) | ✅ |
| cerid-trading-agent (latest main) | ✅ |
| cerid-boardroom (latest main) | ✅ |
Older pinned versions are not actively patched. Always run from main.
Do not open a public GitHub issue for security vulnerabilities.
Report security issues privately:
- Go to the affected repository on GitHub.
- Click Security → Report a vulnerability (GitHub private advisory).
- Include: affected component, reproduction steps, potential impact, and any suggested fix.
We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation within 14 days depending on severity.
- Authentication bypasses or privilege escalation in the MCP server or API
- Remote code execution via file ingestion or agent workflows
- Data exfiltration from the knowledge base or secrets store
- Dependency vulnerabilities in direct dependencies
- Issues in third-party services (OpenRouter, Hyperliquid, Polymarket)
- Vulnerabilities requiring physical access to the host machine
- Social engineering attacks
Cerid AI uses age encryption for secrets at rest (.env.age). Age keys are stored outside the repo at ~/.config/cerid/age-key.txt. If you discover a committed secret or key material, report it immediately via the private advisory process above.
Dependabot is enabled across all repos with weekly grouped updates. Lock files with hashes (requirements.lock, package-lock.json) are used to ensure reproducible builds. CodeQL analysis runs on every push.