-
-
Notifications
You must be signed in to change notification settings - Fork 0
Security and Privacy
This page is explanatory. The canonical security policy is
SECURITY.md.
The public repository and wiki are for sanitized overlay content. Live operational state stays private.
Examples of content that may belong in the public repo or wiki:
- profile definitions and prompts intended for public release;
- templates and scripts;
- sanitized methodology documentation;
- safe export tooling for public artifacts.
Do not publish:
- secrets, tokens, PATs, cookies, or API keys;
- internal hostnames or private URLs;
- Hermes sessions, memories, local logs, or cron output;
- real reports or unsanitized evidence;
- sensitive triage trails;
- raw assessment artifacts.
Credentials requested by Hermes setup belong in the user's Hermes environment, not in this repo.
These are private operational artifacts unless deliberately sanitized for publication.
Public content should remove:
- user or client identifiers;
- target-specific evidence;
- active engagement details;
- secrets and operational residue.
MiniCISO supports allowlisted export of selected non-secret runtime artifacts back into the public repo. Diff review is still mandatory before commit and push.
The presence of offensive profiles does not grant authorization to test third-party systems. Follow explicit authorization and scope boundaries.