| Version | Supported |
|---|---|
| 0.x | Yes |
This project is pre-1.0. All releases in the 0.x series receive security fixes.
Do not open a public GitHub issue for security vulnerabilities.
Instead, report vulnerabilities by email to: [email protected]
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
| Stage | Target |
|---|---|
| Acknowledgment | 48 hours |
| Initial assessment | 7 days |
| Fix development | 30 days (severity-dependent) |
| Public disclosure | After fix is released |
- You will receive an acknowledgment within 48 hours confirming receipt.
- We will assess severity and inform you of our plan within 7 days.
- We will work on a fix and coordinate disclosure timing with you.
- You will be credited in the security advisory (unless you prefer anonymity).
We consider security research conducted in good faith to be authorized. We will not pursue legal action against researchers who:
- Act in good faith and within this policy
- Avoid privacy violations, data destruction, and service disruption
- Report findings promptly and allow reasonable time for remediation
Meridian's kernel is designed with these security principles:
- No external dependencies — pure Python stdlib reduces supply chain risk
- File-based state — no database attack surface
- Audit trail — append-only JSONL logging for all significant actions
- Kill switch — global emergency halt for all agent operations
- Least privilege — agents operate within scoped permissions and budgets
This project aims to meet OpenSSF Best Practices criteria. Current status is tracked in the README.