Skip to content

Security: AxioRank/gateway

Security

SECURITY.md

Security policy

Reporting a vulnerability

Email security@axiorank.com. Please do not open a public issue for anything you believe is a vulnerability.

Include what you can: affected version, a minimal reproduction, and impact as you understand it. You will get an acknowledgment within 2 business days and a status update at least every 7 days until resolution.

We ask for up to 90 days of coordinated disclosure. We credit reporters in the changelog unless you prefer otherwise.

Scope notes

Things we especially want to hear about:

  • Receipt integrity: any way to produce a receipt that verifies but misrepresents what the gateway did, break the hash chain undetected, or forge a signature.
  • Guardrail bypasses with security impact: a payload class the detectors are documented to block (secrets, prompt injection, destructive commands) passing through in block mode. One-off detector misses are ordinary bugs; a systematic bypass is a vulnerability.
  • Key handling: any path that writes a provider API key or the signing private key to logs, receipts, headers, or telemetry.
  • The gateway forwarding requests anywhere other than the configured upstreams.

The detection engine is heuristic and local; risk scores are advisory by design, and tuning disagreements are not vulnerabilities.

Supported versions

The latest minor release receives security fixes. Upgrading is one npm install away and the config format is stable within a major version.

There aren't any published security advisories