Skip to content

Security: imran-siddique/agent-mesh

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
1.x.x
< 1.0

Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue, please follow our responsible disclosure process.

DO NOT

  • ❌ Open a public GitHub issue for security vulnerabilities
  • ❌ Disclose the vulnerability publicly before it's fixed
  • ❌ Exploit the vulnerability beyond what's necessary to demonstrate it

DO

  • ✅ Report privately using the process below
  • ✅ Provide sufficient detail to reproduce the issue
  • ✅ Allow reasonable time for us to respond and fix

Vulnerability Disclosure Policy (VDP)

Scope

This policy applies to:

  • AgentMesh core libraries (agentmesh-platform)
  • AgentMesh MCP Server (agentos-mcp-server)
  • AgentMesh API (agentmesh-api)
  • AgentMesh Benchmark API
  • Official documentation and examples

Out of Scope

  • Third-party dependencies (report to upstream)
  • Social engineering attacks
  • Denial of service attacks
  • Issues in forks or unofficial distributions

How to Report

Email: security@agentmesh.dev (or imran.siddique@microsoft.com)

GitHub Security Advisories: Report a vulnerability

What to Include

  1. Description: Clear explanation of the vulnerability
  2. Impact: What an attacker could achieve
  3. Steps to Reproduce: Detailed reproduction steps
  4. Affected Versions: Which versions are impacted
  5. Suggested Fix: (Optional) If you have a proposed solution
  6. Your Contact: Email for follow-up questions

Example Report

Subject: [SECURITY] Policy bypass via Unicode normalization

Description:
The policy engine's string matching can be bypassed using Unicode 
homoglyphs. An attacker can execute "ᵣᵤₙ_ₛₕₑₗₗ" which visually 
resembles "run_shell" but bypasses the blocklist.

Impact:
Attackers can execute blocked tools by using Unicode variants.

Steps to Reproduce:
1. Create policy blocking "run_shell" tool
2. Request tool "ᵣᵤₙ_ₛₕₑₗₗ" (Unicode subscript letters)
3. Policy check passes, tool executes

Affected Versions: 1.0.0 - 1.2.3

Suggested Fix:
Apply Unicode normalization (NFKC) before policy matching.

Response Timeline

Phase Target Time
Initial acknowledgment 24 hours
Severity assessment 72 hours
Fix development 7-30 days (severity dependent)
Public disclosure After fix is released

Severity Levels

Level Description Target Fix Time
Critical Remote code execution, auth bypass 7 days
High Policy bypass, data exposure 14 days
Medium Limited impact vulnerabilities 30 days
Low Minor issues, hardening 90 days

Coordinated Disclosure

We follow coordinated disclosure practices:

  1. Private Report: You report to us privately
  2. Acknowledgment: We confirm receipt within 24 hours
  3. Investigation: We assess severity and develop fix
  4. Notification: We notify you when fix is ready
  5. Release: We release the fix
  6. Disclosure: We publish a security advisory (crediting you)
  7. Embargo Lift: You may publish your findings

Embargo Period

  • Default embargo: 90 days from report
  • May be extended for complex issues
  • May be shortened if actively exploited

Security Advisories

Published advisories are available at:

Bug Bounty

We currently do not operate a paid bug bounty program. However, we recognize security researchers in:

  • Security advisory credits
  • Hall of Fame in CONTRIBUTORS.md
  • Social media acknowledgment (with permission)

Security Best Practices

When using AgentMesh:

Policy Configuration

  • Use allowlists over blocklists when possible
  • Enable strict mode in production
  • Regularly audit policy files

Deployment

  • Run with minimal privileges
  • Use network isolation where possible
  • Enable audit logging
  • Rotate API keys regularly

Monitoring

  • Monitor audit logs for anomalies
  • Set up alerts for policy violations
  • Use verify_integrity() to detect log tampering

Security Architecture

Identity & Credential Lifecycle

AgentMesh separates identity (long-lived) from credentials (ephemeral):

Layer TTL Rotation Status
Agent Identity (AgentIdentity) Optional expires_at field Manual revocation/reactivation ✅ Implemented
Ephemeral Credentials (Credential) 15 minutes (configurable) Automatic via rotate_if_needed() ✅ Implemented
SVID Certificates (SVID) 15 minutes (configurable) Via CA rotate_credentials() ✅ Implemented
Integration Identity (CMVKIdentity) Optional ttl_seconds param Manual (identity-layer only) ✅ Implemented

Credential rotation is zero-downtime — old credentials are marked "rotated" and remain valid during a brief overlap period. Revocation propagates in ≤5 seconds.

On-Behalf-Of (OBO) User Context

When agents act on behalf of end users, UserContext propagates through the trust layer:

  • Core: UserContext model in agentmesh.identity.delegation with user_id, user_email, roles, permissions, and TTL
  • Handshake: HandshakeResponse and HandshakeResult carry user_context so downstream agents know which user triggered the request
  • Integration: TrustedAgentCard includes user_context; ToolInvocationRecord logs it for audit
  • Future Roadmap: Per-user data access policies (e.g., "Agent B trusts Agent A, but User X cannot access file Y")

Service Discovery

Trusted agents find each other through a layered discovery model:

Layer Component Description Status
Core Registry AgentRegistry Central "Yellow Pages" with DIDs, capabilities, trust scores ✅ Implemented
Card Registry CardRegistry Signed agent cards with TTL-based verification caching ✅ Implemented
SPIFFE Registry SPIFFERegistry Maps agent DIDs to SPIFFE workload identities ✅ Implemented
Integration Discovery AgentDirectory Framework-level peer lookup by DID or capability ✅ Implemented
Network Discovery DID resolution to endpoints Resolve DIDs to HTTP endpoints for cross-cloud handshakes 🚧 Future Roadmap

The integration layer (AgentDirectory) provides local discovery for framework users. Production deployments pair this with the core AgentRegistry service for centralized, network-wide discovery.

Security Features

AgentMesh includes several security features:

Feature Description Status
Cryptographic Identity Ed25519/X.509 agent credentials ✅ Stable
Capability Scoping Fine-grained permission control ✅ Stable
Policy Engine Tool-level access control ✅ Stable
Merkle Audit Immutable Merkle-chained logs ✅ Stable
Tamper Detection Hash chain verification ✅ Stable
Shadow Mode Test policies before enforcement ✅ Stable
Zero-Trust Verify every interaction ✅ Stable
Rate Limiting Prevent resource exhaustion 🚧 Planned
mTLS Mutual TLS for MCP 🚧 Planned

Compliance

AgentMesh supports compliance with:

Standard Coverage
SOC 2 Type II Audit logging, access controls
HIPAA PHI protection policies
GDPR Data minimization, consent tracking
PCI DSS Cardholder data policies
EU AI Act Human oversight, transparency

Note: AgentMesh is a tool to help achieve compliance, not a compliance certification.

OpenSSF Best Practices

We are committed to the OpenSSF Best Practices:

  • ✅ HTTPS for all project sites
  • ✅ Version control (Git)
  • ✅ Automated testing (CI/CD)
  • ✅ Static analysis (linting)
  • ✅ Documented security policy
  • ✅ Vulnerability reporting process

Contact

This security policy follows the disclose.io safe harbor guidelines.

Last updated: February 2026

There aren’t any published security advisories