Skip to content

Security: shivamsingh-007/SCOUT-The-Agentic-Loop

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
0.1.x

Reporting a Vulnerability

If you discover a security vulnerability in SCOUT, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

How to Report

  1. Email: security@scout.dev (or create a private GitHub advisory)
  2. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if any)

What to Expect

  • Acknowledgment: Within 48 hours
  • Initial assessment: Within 1 week
  • Fix timeline: Depends on severity
    • Critical: 24-48 hours
    • High: 1 week
    • Medium: 2 weeks
    • Low: Next release

Scope

In-scope vulnerabilities:

  • Authentication bypass
  • Authorization bypass (tenant isolation escape)
  • Injection attacks (SQL, command, prompt)
  • Sensitive data leakage
  • Denial of service via crafted input
  • Cryptographic weaknesses

Out-of-scope:

  • Issues in dependencies (report upstream)
  • Issues requiring physical access to the server
  • Issues in development-only features

Security Measures

Authentication

  • API keys hashed with SHA-256 + salt
  • Constant-time comparison via hmac.compare_digest
  • No plaintext key storage
  • Keys can have expiration dates

Tenant Isolation

  • Every service method is tenant-scoped
  • Cross-tenant access returns 404 (not 403)
  • No information leakage between tenants

Input Validation

  • Pydantic models for all API inputs
  • Tool output size limits (configurable)
  • Message history truncation
  • Sensitive data scanning in memory store

Error Handling

  • Error messages sanitized in production
  • No file paths, API keys, or internal details in responses
  • Structured logging (no print() statements)

Rate Limiting

  • Per-tenant request limits (per-minute, per-hour)
  • Concurrent request limits
  • Configurable per deployment

Hardening Applied

See the production readiness gates in README.md for the full list of security measures applied.

Cryptography

SCOUT uses:

  • SHA-256 for API key hashing
  • HMAC for constant-time comparison
  • WAL mode for SQLite concurrent access
  • busy_timeout for SQLite write contention

No custom cryptography is implemented. All crypto uses Python standard library.

There aren't any published security advisories