| Version | Supported |
|---|---|
| v0.1.0 | Yes |
| < v0.1.0 | No |
Versions before v0.1.0 are not supported and should not be deployed.
Do not open public GitHub issues for vulnerabilities.
Email: security@vyrox.dev
Subject format:
SECURITY: <brief description>
Response SLA:
- Acknowledgement within 48 hours
- Initial triage within 7 days
- Patch timeline communicated within 14 days
PGP key available at https://vyrox.dev/.well-known/pgp-key.txt.
In scope:
- HMAC bypass
- Rate limiter bypass
- Audit log tampering
- Action execution without approval
- Authentication weaknesses in the proxy
Out of scope:
- UI/UX concerns
- Physical-access attack scenarios
- Model hallucinations outside proxy execution logic
Vyrox follows coordinated disclosure. Reporters are credited in release notes unless anonymity is requested.
No bounty program is active during alpha.
DRY_RUN=trueis expected in non-production environments and intentionally short-circuits EDR side effects.- Infrastructure capacity constraints may affect throughput during burst loads.
These are operational constraints, not vulnerabilities.