Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them privately via email:

📧 security@labs.ai

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any suggested fix (optional but appreciated)

We follow coordinated disclosure:

1. You report the vulnerability privately
2. We acknowledge and begin working on a fix
3. We release the fix and publish a security advisory
4. You may publish your findings after the fix is released

We will credit you in the security advisory unless you prefer to remain anonymous.

• EDDI core application (labsai/eddi Docker image)
• MCP server implementation
• REST API endpoints
• Authentication and authorization mechanisms
• Official Docker images on Docker Hub
• Secrets vault implementation
• SSRF protection mechanisms

• Third-party LLM API vulnerabilities (OpenAI, Anthropic, etc.)
• User configuration errors (e.g., running without authentication)
• Vulnerabilities in dependencies (report upstream; we monitor via Dependaagent)
• Social engineering attacks
• Denial of service via expected API usage

• Never commit API keys, tokens, or passwords
• Use Vault references (${vault:key-name}) for sensitive configuration
• All external URL access must use UrlValidationUtils.validateUrl()
• No eval(), ScriptEngine, or dynamic code execution
• No @JsonTypeInfo(use=Id.CLASS) for untrusted payloads
• Read the Security documentation before contributing security-sensitive code

• Security Architecture — SSRF protection, sandboxed evaluation, tool hardening
• Secrets Vault — Secure secret storage and retrieval
• Project Philosophy — Pillar 4 — Security as Architecture