MNEMOS handles encrypted personal data and Ethereum wallet signatures. We take security seriously. This policy covers:
- The MNEMOS web application (
mnemosbase.com) - The MCP server (
@mnemos-ai/mcp-server) - The public API (
/api/*)
Do not open a public GitHub issue for security vulnerabilities.
Please report security issues by emailing mnemosbase@proton.me. Include:
- A clear description of the vulnerability
- Steps to reproduce
- The potential impact (what data or systems are at risk)
- Any proof-of-concept code if applicable
We will acknowledge your report within 48 hours and aim to provide a fix timeline within 7 days for critical issues.
- Give us reasonable time to fix the issue before public disclosure
- Do not access or modify other users' data
- Do not perform denial-of-service attacks
- Do not use automated scanners against the production app without prior consent
MNEMOS encrypts all memory content client-side using AES-256-GCM before it leaves your browser. The server stores only ciphertext — it has no access to plaintext memory content. Your encryption key is derived from your wallet and never transmitted.
This means:
- A database compromise exposes only ciphertext
- API key compromise allows writing/deleting memories but not reading plaintext content
- The primary attack surface for content exposure is the client (browser) and wallet
- API keys grant full write/delete access to a vault — treat them like passwords
- Wallet signatures (EIP-191) are used for authentication but do not encrypt content
- Shared vault ECDH key exchange relies on the security of both participants' wallets
We currently support and patch the latest deployed version only. There are no versioned releases with separate security support windows.