If you believe you have found a security vulnerability in the Oracle Generative AI – Multi-Agent Locus SDK, please report it to us through coordinated disclosure.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please send an email to the maintainers with:

• A description of the vulnerability
• Steps to reproduce the issue
• Any potential impact
• Any suggested fixes (if applicable)

We will acknowledge receipt of your vulnerability report and send you regular updates about our progress.

When using the SDK in production:

1. API Keys: Never commit API keys or secrets to version control. Use environment variables or secret management systems.

2. Tool Execution: Be cautious when allowing agents to execute tools that interact with external systems. Implement proper sandboxing and validation.

3. Input Validation: Always validate and sanitize user inputs before passing them to agents.

4. Model Access: Use appropriate IAM policies to restrict access to OCI GenAI and other model providers.

5. Checkpointing: When using persistent checkpointing backends (Redis, PostgreSQL, etc.), ensure proper authentication and encryption in transit.