Skip to content

Security: x0ne-labs/aido-runtime

Security

Report a vulnerability

SECURITY.md

Security Policy

Reporting Vulnerabilities

Do NOT open public GitHub issues for security vulnerabilities.

Please report security issues via email to: security@x0ne.co

Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

We will acknowledge your report within 48 hours and provide a timeline for a fix.

Supported Versions

Version Supported
0.2.x ✅ Current
< 0.2 ❌ No

Security Model

AIDO uses a deny-by-default security model. See docs/security.md for the full threat model.

What AIDO protects against

  • ✅ Arbitrary command execution (command whitelist)
  • ✅ Path traversal (canonicalization + deny patterns)
  • ✅ Sensitive file access (.ssh, .gnupg, *.key, *.pem, secrets/)
  • ✅ Uncontrolled container images (image allowlist)
  • ✅ Environment variable exfiltration (env var whitelist)
  • ✅ Desktop automation abuse (rate limiting, opt-in)
  • ✅ LLM hallucination loops (retry limits, detection, per-signature loop_detected circuit breaker)
  • ✅ Plan auto-approval in non-interactive contexts (sub-agents, piped EOF) — explicit env-var gate required

What AIDO does NOT protect against

  • ⚠️ Network egress from allowed commands (e.g. curl if whitelisted)
  • ⚠️ Data exfiltration via allowed read paths
  • ⚠️ Prompt injection from untrusted file content
  • ⚠️ Side-channel attacks from process timing

Recent security fixes

Tag Class Fixed in Summary
T0.5 Authorisation bypass [Unreleased] Plan sysaicall would auto-approve in non-interactive contexts (sub-agents, aido < /dev/null). Now: input-presence heuristic — real terminal prompts, piped stdin with content is honoured, EOF-without-content rejects with plan_requires_human, sub-agent contexts always reject. Every decision is recorded in the session JSONL with decision_source (tty_yes / tty_enter_default / env_auto_approve / rejected_non_interactive / rejected_subagent / rejected_eof) for audit.
T11 Resource exhaustion / cost runaway [Unreleased] Stuck LLMs could re-emit the same failing action indefinitely (token burn, action quota burn, possible side effects on retried actions). Per-signature circuit breaker now blocks the 5th identical (action_type, normalized_args, error_code) failure with a non-retryable loop_detected envelope.

HTTP Mode Security

When running in HTTP mode:

  • Bind to 127.0.0.1 by default — not exposed to the network
  • Optional bearer token authentication — set auth_token in [runtime.http]
  • CORS restricted to localhost — configurable via allowed_origins
  • The stdio and SSH modes are not affected by HTTP security settings

There aren't any published security advisories