| Version | Supported |
|---|---|
| 3.0.x | Yes |
| 2.5.x | Security fixes only |
| < 2.5 | No |
Do not open a public issue for security vulnerabilities.
Email [email protected] with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and provide a timeline for a fix.
InsAIts is built with security-first principles:
- 100% local processing -- no message content is sent to external services
- Audit logs store hashes only -- never raw message content
- Tamper-evident hash chain -- SHA-256 chain detects any log modification
- No hardcoded secrets -- all credentials via environment variables
- Input validation on all public API methods
- Rate limiting built into the circuit breaker
InsAIts monitors the semantic content layer of AI-to-AI communication. Infrastructure-layer attacks (DNS rebinding, OAuth injection, sandbox escape) are outside scope and should be addressed with network/OS-level controls.
See MCP Security Reference for the full threat model.
We follow coordinated disclosure. After a fix is released, we will:
- Credit the reporter (unless they prefer anonymity)
- Publish a security advisory on GitHub
- Release a patched version on PyPI