The multiagent-protocol bot holds merge permission on the main branch of every repository it is installed on. A vulnerability in the bot is therefore a vulnerability in the integrity of that branch. We take security seriously.
Specifically, the following are in-scope security issues:
- Authentication bypass — anything that allows code or commits to merge without the L1 5-condition gate.
- Classifier impersonation — anything that allows an attacker to publish a
classifier-judgmentcheck-run that the bot honors (the publisher-identity gate must hold; seesrc/multiagent_protocol/skills/builtin/validator_classifier_publisher.py). - Trailer forgery / identity confusion — anything that allows a commit to pass the L4 identity gate while misrepresenting which agent/session authored it.
- Break-glass bypass — anything that allows a
[break-glass-*]commit to land onmainwithout triggering L5 audit + ADR-within-24h requirement. - Decision Inbox manipulation — anything that allows non-owner reactions/comments to count as "owner approval" on Quadrant D issues.
- Secret leakage — accidental logging or commit of PEM private keys, GitHub App tokens, or owner credentials.
- Mirror cascade trust violation — anything that allows an adopter repository to forge a successful sync against
canonical_pathswithout actually matching content. - Web wizard XSS / code execution — the wizard is a static page that processes user input; any path that lets attacker-controlled input run as JavaScript in another user's wizard session is in scope.
The following are out of scope:
- Compromised GitHub account of the bot operator (this is your own machine to defend).
- Compromised VPS / self-hosted runner host (this is your own infrastructure).
- Brute-force or social engineering of GitHub itself.
- Loss of bot maintenance funding / availability (this project is best-effort; see
MAINTAINERS.md).
Do not open a public GitHub Issue. Use one of the following channels:
-
GitHub Security Advisories: https://github.com/donggun-jung/multiagent-protocol/security/advisories/new Preferred channel. Encrypted in transit, viewable only by maintainers.
-
Email: send to the address listed in
MAINTAINERS.mdwith[SECURITY]in the subject. If you require PGP, request a key in the first message.
In your report, please include:
- A description of the vulnerability.
- Steps to reproduce (ideally a minimal proof-of-concept).
- The version (commit SHA or release tag) you tested against.
- Your assessment of severity (CVSS or Low/Medium/High/Critical).
- Whether you intend to publish the finding, and if so, your preferred disclosure timeline.
- Initial acknowledgement: within 7 days of your report.
- Severity assessment: within 14 days.
- Patch development: depends on severity, but we aim for:
- Critical (auth bypass, RCE, key exfiltration): within 14 days.
- High: within 30 days.
- Medium / Low: best-effort, no fixed window.
- Public disclosure: coordinated with you. Default is 90 days from initial report, but we will negotiate shorter for actively-exploited issues or longer for complex fixes.
We do not have a bug bounty program. We will credit you in the advisory and CHANGELOG unless you prefer otherwise.
Even with a perfect bot, the operator must hold up their end:
- Run on the GitHub Free tier branch protection limitation, not in spite of it. If you can pay for GitHub Pro, GitHub's built-in branch protection is auditable and battle-tested by GitHub's security team. This project is for people who cannot or will not pay; you accept the tradeoffs.
- Rotate the GitHub App private key on a 90-day cadence, and immediately on any suspected leak. GitHub Apps support multiple active private keys; generate the new key first, deploy it to Actions secrets, then delete the old key. If the key ever appears in a log, public repo, or chat transcript, rotate immediately and audit
bot-state/classifier_audit.jsonlfor the window in which the leak might have been usable. - Use fine-grained Personal Access Tokens for any self-hosted runner credentials, scoped to the minimum repos and permissions needed.
- Review
Agent-SessionIDs. A session ID that does not match the regex^s_[a-z0-9][a-z0-9-]{2,14}[a-z0-9]$is suspicious; the L4 identity gate should already reject it, but watch the audit log. - Read your own Decision Inbox. The bot routes irreversible-and-critical actions to you for a reason. Do not blanket-approve.
| Version | Supported |
|---|---|
| 1.0.x | Yes — current |
| < 1.0 | No |
1.0.0 is the first stable release: the cron orchestrator and the L1–L5 enforcers ship working, after multiple rounds of independent external review. We aim to keep API/schema/CLI compatibility within the 1.x line.