Skip to content

Security: icidade/miniCISO

SECURITY.md

Security policy

Data that does not belong in the repository

Do not open issues or commits containing tokens, keys, cookies, personal data, real reports, Hermes sessions, memories, or client/third-party evidence.

If a secret is published, revoke it with the provider before cleaning history. Removing only the file from the most recent commit does not eliminate the exposure.

Vulnerability reporting

For flaws in the MiniCISO overlay, use GitHub Security's private Report a vulnerability flow when enabled. Do not publish exploitable details in a public issue.

Runtime flaws must be reported to NousResearch/hermes-agent according to that project's policy.

Scope

The offensive profiles in this project require explicit authorization and defined scope. The presence of prompts does not grant authorization to test third-party systems.

There aren't any published security advisories