Skip to content

Security: brainx/olymp

Security

SECURITY.md

Security Policy

Supported Versions

Olymp is pre-1.0. Security fixes should target the current development branch until a version support policy is published.

Reporting a Vulnerability

Do not open public issues for vulnerabilities involving credentials, node control, bot lifecycle actions, logs, audit events, release artifacts, or network access. Use GitHub private vulnerability reporting when the repository is published.

Security Model

  • Olymp is a control plane for Zeus nodes, not a sandbox.
  • The MVP API binds to 127.0.0.1:4321 by default.
  • Every Olymp API endpoint except GET /health requires OLYMP_API_KEY through x-olymp-api-key.
  • Zeus nodes should stay loopback-only. Use local mode, SSH tunnels, mTLS, or a future node sidecar instead of exposing Zeus directly.
  • Node registration is an SSRF boundary. Remote URLs require explicit opt-in and HTTPS.
  • Logs, inspect payloads, audit events, and evidence bundles may contain sensitive operational data.

Operational Guidance

  • Store Zeus keys in environment variables referenced by node records; do not put raw keys in SQLite, docs, examples, command output, or frontend bundles.
  • Rotate any credential that was committed, printed in logs, captured in evidence, or shared outside the intended host.
  • Use staging-only credentials on test hosts.
  • Review evidence before sharing it.

There aren't any published security advisories