Found something that could let an attacker run code, steal keys, or trash someone's install? Tell me privately first., pretty please!
It would be very much appreciated if you allowed me time to apply a fix, before raising a public issue for any critical exploits or vulnerabilites.
- Do not open a public GitHub issue with exploit details.
- Preferred: GitHub private vulnerability reporting (if enabled on the repo: Settings → Security → Private vulnerability reporting).
- Otherwise: contact me privately (see .github/CODEOWNERS)—email or DM you already use for confidential stuff.
Include whatever helps me reproduce fast:
- What you think is wrong (RCE, auth bypass, path traversal, secret leak, etc.)
- Steps to reproduce (commands, routes, config snippets—redact real keys)
- What you think the impact is
- Your environment (OS, Node version, how Control Hub is exposed) if it matters
| Step | Target |
|---|---|
| I acknowledge your report | Within 72 hours |
| I confirm scope and severity | Within 7 days |
| Fix or mitigation | As soon as I have a verified patch |
I aim for coordinated disclosure: fix first, then a short public note (changelog/advisory) describing impact and remediation without a step-by-step exploit recipe.
- Control Hub API routes, auth/deploy gates, cron/update hooks, path validation on disk writes
- Accidental secrets in repo, docs, logs, or default configs
- Docker/deploy scripts that expose the app unsafely by default
- Issues in Hermes Agent upstream — report those to Nous Research / Hermes unless Control Hub is clearly wrapping the bug wrong
- Social engineering, physical access, or "you left SSH open on the internet" — still bad, but not something I patch in this repo
- Theoretical issues with no practical exploit path—send anyway if you are unsure; I will triage
- Bind to trusted networks or put a reverse proxy with auth in front.
- Set
CH_READ_ONLY=1on instances that should not mutate config. - Rotate keys if you think they leaked; check
~/.hermes/logsand deploy logs for accidental echo.
Thanks for helping keep installs safe.