If you discover a security vulnerability in Synapses Intelligence, please report it responsibly to the maintainers before disclosing it publicly.

Email: security@synapsesos.dev (or GitHub private security advisory)

Response SLA: Acknowledgment within 24 hours; fix timeline depends on severity (24 hours critical, 1 week high, 2 weeks medium).

✅ HTTP API — Input validation, injection attacks, DoS conditions ✅ LLM Backends — Prompt injection, model manipulation ✅ SQLite Store — Query injection, data integrity, file permissions ✅ Sidecar Communication — Timeout handling, malformed responses ✅ Configuration — Path traversal, insecure defaults

❌ Dependency vulnerabilities (report upstream) ❌ Local LLM model vulnerabilities (report to model vendor) ❌ Host machine exploits (OS-level issues)

• All inference is local (localhost only, no cloud)
• No telemetry or external API calls
• SQLite cache stored at ~/.synapses/brain.sqlite (user-only permissions)

• brain.json has tilde expansion to prevent path traversal
• HTTP server runs on localhost:11435 only (not exposed to network)
• Timeouts prevent resource exhaustion (default 120s per inference)
• No arbitrary code execution (pure LLM text completion)

• Prompt templates sanitize user input
• No shell command execution from LLM output
• Output validation before storing in SQLite

1. Don't expose the sidecar — Run on localhost only; never expose :11435 to the network
2. Keep updated — Regularly update to latest version
3. Protect your codebase — SQLite cache contains code summaries; restrict access to ~/.synapses/
4. Monitor inference — Large timeout_ms values may indicate resource exhaustion attempts

All Go dependencies are vendored. Run go mod audit to check for known vulnerabilities:

go mod audit

Key dependencies:

• modernc.org/sqlite — Pure-Go SQLite (no CGo)
• google/uuid — UUID generation
• golang.org/x/exp — Stable Go utilities

1. Fix developed and tested
2. Patch released as point version (e.g., v0.7.1)
3. GitHub Security Advisory issued
4. Public announcement with CVE (if applicable)

• Security: security@synapsesos.dev
• Issues: https://github.com/SynapsesOS/synapses-intelligence/issues

Thank you for helping keep Synapses Intelligence secure! 🔒