Do not open public issues for security vulnerabilities.

Email: security@axiomprotocol.org Expected Response Time: 48 hours

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

1. Acknowledgment within 48 hours
2. Investigation with estimated timeline
3. Fix developed and tested
4. Disclosure coordinated with reporter
5. Credit in security advisory (unless you prefer anonymity)

• Never commit API keys to version control
• .env is gitignored by default
• Use environment variables for all secrets
• Rotate keys regularly

• Authentication via x-openrouter-key header
• Rate limiting enforced (100 req/min, 10 req/sec burst)
• Query text is not logged (privacy)

• Run behind reverse proxy (nginx, Caddy) in production
• Enable HTTPS/TLS
• Set ACP_API_KEY for authentication
• Firewall rules to restrict access

• PostgreSQL connections require authentication
• Use strong passwords (min 16 chars)
• Enable SSL for database connections
• Regular encrypted backups

• ACP consensus does not guarantee safe or ethical output
• Models can produce harmful content even with consensus
• Implement content filtering for production use

• Consensus queries can be expensive with large models
• Set spending limits on your LLM provider
• Use smaller models for testing

• Rate limiting enforced at edge
• For self-hosting, implement additional rate limits

• Set ACP_API_KEY for authentication
• Enable HTTPS/TLS
• Enable database SSL
• Set LLM provider spending limits
• Configure rate limiting
• Enable logging and monitoring
• Regular dependency updates

Required:

OPENROUTER_API_KEY=sk-or-v1-xxx

Recommended:

ACP_API_KEY=xxx
DATABASE_URL=postgresql://...

Timeline:

1. Day 0: Vulnerability reported
2. Day 1-2: Acknowledgment
3. Day 3-30: Investigation and fix
4. Day 30: Coordinated disclosure

This project is licensed under BSL 1.1. See LICENSE for details.

Last Updated: 2026-04-09 Contact: security@axiomprotocol.org