Given the early stage of the project, we currently only support the latest version with security updates:
| Version | Supported |
|---|---|
| 0.0.x | ✅ |
| < 0.0.1 | ❌ |
We take the security of Eliza seriously. If you believe you have found a security vulnerability, please report it to us following these steps:
- DO NOT create a public GitHub issue for the vulnerability
- Send an email to security@eliza.builders with:
- A detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any possible mitigations you've identified
- Initial Response: Within 48 hours, you will receive an acknowledgment of your report
- Updates: We will provide updates every 5 business days about the progress
- Resolution Timeline: We aim to resolve critical issues within 15 days
- Disclosure: We will coordinate with you on the public disclosure timing
-
API Keys and Secrets
- Never commit API keys, passwords, or other secrets to the repository
- Use environment variables as described in our secrets management guide
- Rotate any accidentally exposed credentials immediately
-
Dependencies
- Keep all dependencies up to date
- Review security advisories for dependencies regularly
- Use
pnpm auditto check for known vulnerabilities
-
Code Review
- All code changes must go through pull request review
- Security-sensitive changes require additional review
- Enable branch protection on main branches
-
Environment Setup
- Follow our secrets management guide for secure configuration
- Use separate API keys for development and production
- Regularly rotate credentials
-
Model Provider Security
- Use appropriate rate limiting for API calls
- Monitor usage patterns for unusual activity
- Implement proper authentication for exposed endpoints
-
Platform Integration
- Use separate bot tokens for different environments
- Implement proper permission scoping for platform APIs
- Regular audit of platform access and permissions
- Environment variable based secrets management
- Type-safe API implementations
- Automated dependency updates via Renovate
- Continuous Integration security checks
-
Q4 2024
- Automated security scanning in CI pipeline
- Enhanced rate limiting implementation
- Improved audit logging
-
Q1 2025
- Security-focused documentation improvements
- Enhanced platform permission management
- Automated vulnerability scanning
We follow a coordinated disclosure process:
- Reporter submits vulnerability details
- Our team validates and assesses the report
- We develop and test a fix
- Fix is deployed to supported versions
- Public disclosure after 30 days or by mutual agreement
We believe in recognizing security researchers who help improve our security. Contributors who report valid security issues will be:
- Credited in our security acknowledgments (unless they wish to remain anonymous)
- Added to our security hall of fame
- Considered for our bug bounty program (coming soon)
As an MIT licensed project, users should understand:
- The software is provided "as is"
- No warranty is provided
- Users are responsible for their own security implementations
- Contributors grant perpetual license to their contributions
- Security Issues: security@eliza.builders
- General Questions: Join our Discord
- Updates: Follow our security advisory page