Igor v0 is experimental research software currently in Phase 2 (Survival) development. It is not production-ready and has known security limitations by design.
Do not deploy Igor v0 on public networks or with sensitive data.
Only the main branch is actively maintained. No stable releases have been tagged yet.
| Version | Supported |
|---|---|
| main | ✅ |
| v0.x | 🚧 |
If you discover a security vulnerability in Igor, please report it responsibly.
- Go to https://github.com/simonovic86/igor/security/advisories
- Click "Report a vulnerability"
- Provide detailed description
- Allow time for assessment and patch development
Email security issues to: security@igor-project.org (placeholder - use GitHub issues for now)
- Description of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if applicable)
- Your contact information (for coordination)
Critical:
- WASM sandbox escapes
- Arbitrary code execution on host
- Memory corruption or buffer overflows
- Resource exhaustion attacks that crash nodes
- Migration protocol attacks that create duplicate agents
- Checkpoint corruption that breaks recovery
Important:
- Denial of service vulnerabilities
- Information disclosure
- Privilege escalation within sandbox
- Budget manipulation exploits
- Migration abuse scenarios
Lower Priority (but still valuable):
- Logging security issues
- Configuration weaknesses
- Documentation improvements
We follow coordinated disclosure:
- Report received - We acknowledge within 48 hours
- Assessment - We evaluate severity and impact
- Fix development - We develop and test a patch
- Disclosure timeline - We agree on public disclosure date
- Patch release - We release fix to main branch
- Public disclosure - We publish security advisory
Typical timeline: 30-90 days from report to disclosure, depending on severity.
For detailed threat analysis and security mechanisms:
- docs/runtime/THREAT_MODEL.md - Threat assumptions, adversary classes, trust boundaries
- docs/runtime/SECURITY_MODEL.md - Current security mechanisms and limitations
- docs/enforcement/RUNTIME_ENFORCEMENT_INVARIANTS.md - System guarantees
For non-sensitive questions about Igor security:
- Open a GitHub issue
- Use "security" label
- Public discussion welcome
For sensitive vulnerability reports:
- Use GitHub Security Advisory
- Private disclosure until patched