Do not open a public issue for security vulnerabilities.
Instead, use one of these methods:
- GitHub Security Advisory (preferred): Go to the Security tab and click "Report a vulnerability"
- Email: security@arcanesys.fr
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
The control plane separates agent-facing routes from admin routes:
- Agent routes (
/api/v1/machines/{id}/desired-generation,/api/v1/machines/{id}/report): authenticated via mTLS client certificate. No API key required. - Admin routes (all other
/api/v1/...endpoints): authenticated via API key (Bearer token). When--client-cais set, admin clients also require a valid client certificate.
This split ensures API key rotation does not affect deployed agents, and machine credentials cannot reach admin endpoints.
The following are in scope for security reports:
- Control plane authentication and authorization (API keys, mTLS)
- Agent-to-control-plane communication security (including route separation bypass)
- Rollout orchestration logic (e.g., bypassing rollout protections)
- Secret handling in Nix modules
- SQL injection or data exposure in SQLite queries
- Privilege escalation in agent or control plane systemd services
- Acknowledge: within 48 hours
- Assess severity: within 1 week
- Fix critical issues: within 2 weeks
- Coordinate disclosure: timeline agreed with reporter
Security fixes are applied to the latest release only.