Skip to content

Security and Privacy

Hermes Agent edited this page Jul 11, 2026 · 1 revision

Security and Privacy

This page is explanatory. The canonical security policy is SECURITY.md.

Public versus private state

The public repository and wiki are for sanitized overlay content. Live operational state stays private.

Safe to publish

Examples of content that may belong in the public repo or wiki:

  • profile definitions and prompts intended for public release;
  • templates and scripts;
  • sanitized methodology documentation;
  • safe export tooling for public artifacts.

Never publish

Do not publish:

  • secrets, tokens, PATs, cookies, or API keys;
  • internal hostnames or private URLs;
  • Hermes sessions, memories, local logs, or cron output;
  • real reports or unsanitized evidence;
  • sensitive triage trails;
  • raw assessment artifacts.

Secrets handling

Credentials requested by Hermes setup belong in the user's Hermes environment, not in this repo.

Sessions, memories, logs, reports, and evidence

These are private operational artifacts unless deliberately sanitized for publication.

Sanitization

Public content should remove:

  • user or client identifiers;
  • target-specific evidence;
  • active engagement details;
  • secrets and operational residue.

Safe self-update

MiniCISO supports allowlisted export of selected non-secret runtime artifacts back into the public repo. Diff review is still mandatory before commit and push.

Responsible disclosure

The presence of offensive profiles does not grant authorization to test third-party systems. Follow explicit authorization and scope boundaries.

Clone this wiki locally