| Version | Supported |
|---|---|
| 4.x | β Active support |
| 3.x | |
| < 3.0 | β End of life |
We take security seriously. If you discover a security vulnerability, please follow these steps:
Security vulnerabilities should be reported privately.
Send details to: security@sentientos.dev
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Time | Action |
|---|---|
| 24 hours | Acknowledge receipt |
| 72 hours | Initial assessment |
| 7 days | Detailed response |
| 14 days | Fix or mitigation plan |
| 30 days | CVE assignment (if applicable) |
We follow responsible disclosure:
- We'll work with you to understand and fix the issue
- We'll credit you in the security advisory (unless you prefer to remain anonymous)
- We ask that you don't disclose the issue publicly until we've released a fix
SENTIENT OS includes multiple security layers:
βββββββββββββββ βββββββββββββββ βββββββββββββββ
β SENTIENT β β V-GATE β β LLM API β
β Client βββββββΆβ Proxy βββββββΆβ Provider β
βββββββββββββββ βββββββββββββββ βββββββββββββββ
β
API Key (Secure)
Stored on server
NEVER in client code
V-GATE Features:
- Request routing & load balancing
- Rate limiting
- API key injection (server-side only)
- Encrypted key storage
- Key rotation support
| Crate | SatΔ±r | Purpose |
|---|---|---|
sentient_guardrails |
307 | Input/output filtering, prompt injection detection, data exfiltration prevention |
oasis_vault |
2,417 | Encrypted secret management, crypto operations |
sentient_tee |
2,683 | Trusted Execution Environment (AMD SEV-SNP, Intel TDX) |
sentient_zk_mcp |
2,062 | Zero-knowledge proofs for MCP protocol |
sentient_compliance |
2,226 | SOC 2 Type II controls, audit logging |
sentient_anomaly |
1,160 | Anomaly detection, intrusion alerts |
Desktop agent için 50+ yasaklı komut:
β YASAKLI: rm -rf, format, dd, chmod 777, curl | bash,
sudo, su, chown root, mkfs, shutdown, reboot
β Δ°ZΔ°N VERΔ°LEN: libreoffice, firefox, vscode, git, cargo
- Memory Safety: Rust guarantees memory safety at compile time
- No unwrap(): All code uses proper error handling with
.expect()or? - Minimal unsafe: Only 10 unsafe blocks, all FFI-required
- Encrypted Storage: AES-256-GCM for sensitive data
- Audit Logging: Complete audit trail for compliance
- Never commit API keys - Use V-GATE or environment variables
- Enable encryption - Use
sentient_vaultfor secrets - Regular updates - Keep SENTIENT OS updated
- Audit logs - Monitor
sentient_complianceaudit logs
-
Run security audit before commits:
cargo audit cargo clippy -- -W clippy::all
-
Check dependencies:
cargo outdated cargo deny check
-
Format code:
cargo fmt --all -- --check
- API keys are transmitted to LLM providers
- Use V-GATE to keep keys server-side
- Consider self-hosted models (Ollama, GPT4All) for sensitive data
- Default port: 8080
- Enable authentication for production
- Use HTTPS in production
- Plugins run in sandboxed environment
- Review plugin code before installation
- Use
sentient_pluginsecurity features
| Date | Auditor | Scope | Result |
|---|---|---|---|
| 2026-04 | Internal | Code review | β Passed |
| 2026-04 | cargo audit | Dependencies | β No vulnerabilities |
| 2026-04 | cargo test | 189+ tests (LLM) | β All passing |
- Security Team: security@sentientos.dev
- PGP Key: security.asc
- GitHub Security: Security Advisories
Last Updated: April 2026
Next Review: July 2026