Skip to content

Security: fa8i/janus-assistant

Security

SECURITY.md

Security Policy

Janus runs locally and handles sensitive material: LLM API keys, OAuth tokens, Telegram bot tokens and the contents of your machine. Please treat security reports responsibly.

Reporting a vulnerability

Do not open a public issue for security problems. Instead, report privately via GitHub's "Report a vulnerability" button on the Security tab of this repository (Security → Advisories → Report a vulnerability).

Please include:

  • a description of the issue and its impact;
  • steps to reproduce (a minimal proof of concept if possible);
  • the affected version or commit.

You will get an acknowledgement as soon as possible, and a fix or mitigation will be coordinated before any public disclosure.

Handling secrets

  • Secrets live only in the JANUS_HOME/.env file, created with 0600 permissions, and are injected into tool/MCP subprocesses at spawn time.
  • Secrets are never written to the MCP connector registry, logs or the README.
  • Never paste real API keys, tokens or .env contents into issues or PRs.

Supported versions

This is pre-1.0 software; only the latest released version receives security fixes.

There aren't any published security advisories