Security & Responsible Disclosure

5 min readSecurity researcher · Pen testerv0.9.0a2

What this page covers

Vulnerability reporting, responsible disclosure policy, pen-testing scope, safe-harbor terms, and security posture for the Stigmem project.

Audience: security researchers, pen testers, node operators, protocol implementers.

Reporting a vulnerability

Do not open a public GitHub issue for security vulnerabilities.

Use GitHub's private advisory path.

1. Go to the Security Advisories page.
2. Click "Report a vulnerability".
3. Include: description, reproduction steps, environment (backend type, Stigmem version, config), potential impact, and suggested fix if known.

Response SLAs:

Milestone

Target

Notes

Acknowledgement

48 hours

—

Status update

7 days

—

Patch target

14 days

For Critical/High findings.

Coordinated disclosure

90 days

From acknowledgment. Shorter for actively exploited issues.

See SECURITY.md for the full disclosure policy.

Supported versions

Version

Supported

Notes

0.9.0a*

yes

The v0.9.0aN alpha series — current. Pre-release; no stability guarantee.

retracted pre-reset label

no (retracted)

Retracted label; no PyPI artifact was published.

< 0.9.0a1

no

Internal checkpoints (pre-reset–v2.0), not tagged releases.

Pen-testing scope

In scope

Surface

Class

Notes

Reference node HTTP API

all routes

/v1/facts, /v1/query, /v1/lint, /v1/synthesis, /v1/decay, /v1/conflicts, /v1/federation/*. Authenticated and unauthenticated paths.

Federation handshake

protocol

PeerDeclaration signing, HLC cursor handling, replay protection.

Authentication

credential

API-key issuance, storage (Argon2id hashing), validation, scope enforcement.

Source Attestation

spec §18

Enforcement modes (enforce, warn, off); entity-URI binding.

Memory Garden ACLs

spec §17

Role escalation paths; garden boundary enforcement.

MCP adapter

adapter

assert_fact and query_facts tool surface.

OpenClaw / Claude Code adapter

adapter

Memory read/write paths.

Out of scope

Surface

Reason

Notes

Docs build toolchain

build-time

Docusaurus, npm transitive deps. No user-controlled input path.

Third-party dependencies

upstream

libSQL cloud, Turso, Postgres, Rekor. Report findings to the upstream project.

Rate limiting / resource exhaustion

known gap

Tracked as a planned hardening item.

Social engineering / phishing

universal

Out of scope for all security programs.

docs.stigmem.dev

static

No user data; no dynamic server-side logic.

Safe-harbor terms

If you conduct good-faith testing within the scope above, Eidetic Labs will not pursue legal action and will publicly credit you in SECURITY.md and the relevant release notes (unless you prefer anonymity).

"Good faith" means

No third-party data

You do not access, exfiltrate, or modify data that is not yours.

Your own instance

You test against your own node or a dedicated test environment.

Private before public

You report findings privately before public disclosure.

No DoS for others

You do not cause service disruption to other users' nodes.

Minimal exploitation

You do not exploit a finding beyond what is necessary to confirm it exists.

Severity guidance

Use CVSS 4.0 as the primary severity signal.

Severity

Class

Examples

Critical

9.0–10.0

Authentication bypass; remote code execution; federation peer impersonation; reading local or team facts without authorization.

High

7.0–8.9

Privilege escalation; scope boundary bypass; replay-attack success; Source Attestation bypass in enforce mode.

Medium

4.0–6.9

DoS with a clear exploit path; SSRF via federation pull path; information disclosure beyond error messages.

Low

0.1–3.9

Minor information disclosure; non-critical config defaults that weaken posture.

Informational

—

Defense-in-depth suggestions; hardening recommendations without a clear exploit.

Advisory publication

Stigmem publishes GitHub Security Advisories for Critical and High CVSS 4.0 findings that affect a supported published artifact once a patched version is available. The v0.9.0a2 hardening release includes six Critical/High GHSAs.

pip install --upgrade --pre stigmem-node
# or, for the meta-package install:
pip install --upgrade --pre 'stigmem[node]'

GHSA

Severity · CVSS 4.0

Notes

GHSA-jmfc-hfjq-pxcp

Critical · 9.1

—

GHSA-fp6w-8wpg-74g5

Critical · 9.2

—

GHSA-9vp8-3hmv-8fgh

Critical · 9.1

—

GHSA-xh5j-xjfq-qvvx

High · 7.1

—

GHSA-w7pm-9g55-mxfm

High · 7.3

—

GHSA-9pc9-4crj-mhpj

High · 7.5

—

Security posture — v0.9.0a2

Posture-reset note.

The 2026-05-08 reset to v0.9.0a1 carried forward the dependency-fix posture from the withdrawn v1.0 release-candidate snapshot. Several threat-model controls (mTLS-default federation, persistent audit log, per-principal rate limits, capability-level cross-org instruction validation, bounded HLC skew, the ADR-016 storage-immutability stack) remain future hardened-core work and are not yet in effect at v0.9.0a2. Adopters running federation across organizational boundaries should wait until those controls ship and complete operator validation.

The dependency-alert posture carried forward to v0.9.0a2 has zero unaddressed Dependabot alerts:

Category

Count

Notes

Dependabot alerts resolved

20

By the dep upgrade sweep.

Docs build toolchain

7

Non-exploitable, suppressed.

Unaddressed / escalated blockers

0

—

Security controls in effect

Control

Layer

Detail

Authentication

API

API keys enforced on all write endpoints; per-scope restrictions (spec §3.5).

Federation

protocol

Ed25519 peer handshake; HLC timestamps prevent replay attacks.

Input validation

HTTP

Pydantic on all endpoints; malformed payloads return 422 before business logic.

Secrets

repo

No credentials in the repository; Docker Compose uses env-var injection.

CI gate

supply chain

pip-audit, pnpm audit, and bandit run as blocking steps on every PR.

Audit tooling

Tool

Scope

Gate

pip-audit

Python deps

python-tests job; exits non-zero on any moderate+ CVE.

pnpm audit

Node.js deps

node-tests job; --audit-level=moderate.

bandit

Python static

python-tests job; configured in [tool.bandit].

Run locally:

# Python dependency audit
uv run pip-audit

# Python static security analysis
uv run bandit -r node/src/ sdks/stigmem-py/src/ -c pyproject.toml

# Node.js dependency audit
pnpm audit --audit-level=moderate

Running a test environment

# Clone the repo
git clone https://github.com/eidetic-labs/stigmem
cd stigmem

# Start a node with Docker Compose
docker compose up -d stigmem-node

# Create a test API key
curl -X POST http://localhost:8000/v1/admin/keys \
  -H "Authorization: Bearer $STIGMEM_ADMIN_KEY" \
  -H "Content-Type: application/json" \
  -d '{"label": "pentest", "scopes": ["public", "team"]}'

For federation testing, docker-compose.federation.yml spins up a 2-node topology:

docker compose -f docker-compose.federation.yml up -d

Coordinated disclosure

The default window is 90 days from acknowledgment of a valid finding.

Actively exploited

Faster coordination with reporter agreement.

Straightforward fix

Faster publication timeline communicated.

90 days insufficient

Extension discussed with the reporter.

Bug bounty

Stigmem does not currently operate a paid bug bounty program. Valid findings are recognized with:

Public credit

In SECURITY.md and the fixing release's changelog.

Spec attribution

In spec errata if the finding affects wire-format or protocol behavior.

See also

Community Pen-Test Handbook

Full engagement guide with report template.

Container Hardening

Distroless, seccomp, non-root.

Key Rotation

Ed25519 key lifecycle and dual-trust windows.

Audit & Quotas

Audit log surface and per-principal rate limiting.