6c9c7fe7f3
CI / integration tests (3.13) (push) Failing after 1s
Commit lint / pull request title (push) Has been skipped
Docs / links (push) Failing after 1s
CI / unit tests (3.13) (push) Failing after 1s
CI / lint (push) Failing after 1s
CI / integration tests (push) Failing after 1s
CI / package build (push) Failing after 1s
Commit lint / commit messages (push) Failing after 1s
CI / unit tests (push) Failing after 1s
1.8 KiB
1.8 KiB
Security Policy
Supported Versions
EverOS is released and at v1.0.0 (stable). Security fixes are applied to the latest release line only.
| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
Reporting a Vulnerability
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, email evermind@shanda.com with:
- A description of the vulnerability and its potential impact
- Steps to reproduce, or a proof-of-concept
- The affected version / commit
- Any suggested mitigation, if you have one
We will acknowledge your report within 5 business days, keep you informed of progress, and aim to ship a fix or mitigation before any public disclosure. Reporters are credited in the release notes unless you prefer to remain anonymous.
Scope & Threat Model
EverOS runs as a local-first service for single users or small teams (Markdown + SQLite + LanceDB on the local filesystem). Please keep the following in mind:
- Exposing the HTTP API (
everos server) to an untrusted network is outside the supported threat model — it assumes a trusted local caller. The server binds to127.0.0.1by default (envEVEROS_API__HOST) so a fresh install is loopback-only. Only set the bind to0.0.0.0(or any routable interface) after you have placed your own gateway / auth layer in front;everos server startwill log a warning when you bind to0.0.0.0. - Secrets (LLM / embedding API keys) live in your local
.env; protect that file as you would any credential. EverOS never transmits them anywhere except the providers you configure. - Memory content is stored as plaintext
.mdfiles; apply OS-level file permissions or disk encryption if your data is sensitive.