Do not open public issues for security vulnerabilities.
We take security seriously. If you discover a security vulnerability, please report it responsibly.
Send an email to: 4211002+mvillmow@users.noreply.github.com
Or use the GitHub private vulnerability reporting feature if available.
Please include as much of the following information as possible:
- Description - Clear description of the vulnerability
- Impact - Potential impact and severity assessment
- Steps to reproduce - Detailed steps to reproduce the issue
- Affected files - Which source files, endpoints, or configurations are affected
- Suggested fix - If you have a suggested fix or mitigation
Subject: [SECURITY] Research endpoint returns unfiltered internal data
Description:
The /v1/research endpoint returns internal metadata including store
keys and NATS subject names without authorization checks, leaking
internal service topology to unauthenticated callers.
Impact:
An attacker could enumerate internal NATS subjects and agent IDs
to map the service topology.
Steps to Reproduce:
1. Start ProjectNestor server
2. curl http://<host>:8081/v1/research
3. Observe internal metadata in the response
Affected Files:
src/routes.cpp (research route handlers)
Suggested Fix:
Add authentication middleware and filter internal fields from responses.
We aim to respond to security reports within the following timeframes:
| Stage | Timeframe |
|---|---|
| Initial acknowledgment | 48 hours |
| Preliminary assessment | 1 week |
| Fix development | Varies by severity |
| Public disclosure | After fix is released |
We use the following severity levels:
| Severity | Description | Response |
|---|---|---|
| Critical | Remote code execution, data breach | Immediate priority |
| High | Privilege escalation, data exposure | High priority |
| Medium | Limited impact vulnerabilities | Standard priority |
| Low | Minor issues, hardening | Scheduled fix |
We follow responsible disclosure practices:
- Report privately - Do not disclose publicly until a fix is available
- Allow reasonable time - Give us time to investigate and develop a fix
- Coordinate disclosure - We will work with you on disclosure timing
- Credit - We will credit you in the security advisory (if desired)
When you report a vulnerability:
- Acknowledge receipt within 48 hours
- Investigate and validate the report
- Develop and test a fix
- Release the fix
- Publish a security advisory
- C++ source code (research routes, store, NATS client)
- REST API endpoints
- CMake build configuration
- Dockerfile and container configuration
- Odysseus meta-repo configurations (report to Odysseus)
- ProjectAgamemnon API (report to ProjectAgamemnon)
- Other HomericIntelligence submodule repos (report to that repo directly)
- Third-party dependencies (report upstream to cpp-httplib, nlohmann_json, etc.)
- Social engineering attacks
- Physical security
All endpoints under /v1/* require bearer-token authentication. No endpoint is exempt from this requirement.
Set two environment variables before starting the server:
NESTOR_AUTH_TOKEN— the bearer token (required inrequiredmode)NESTOR_AUTH_MODE— authentication mode:"required"or"none"(case-sensitive, lowercase only; defaults to"required")
| Mode | Behavior |
|---|---|
required |
All /v1/* endpoints require a valid Bearer token. Server fails to start if token is missing or empty. |
none |
All endpoints are unauthenticated. Used only in test/dev harnesses with explicit opt-in. |
Requests without a valid Bearer token return 401 Unauthorized:
{"detail":"unauthorized"}# Start the server with authentication enabled
export NESTOR_AUTH_TOKEN="your-secret-token"
export NESTOR_AUTH_MODE="required"
./projectnestor_server
# Unauthenticated request → 401
curl http://localhost:8081/v1/health
# {"detail":"unauthorized"}
# Authenticated request → 200
curl -H "Authorization: Bearer your-secret-token" http://localhost:8081/v1/health
# {"status":"ok"}- Tokens are compared using constant-time comparison (
CRYPTO_memcmp) to prevent timing attacks - Token values are never logged in stdout, stderr, or error messages
- Empty strings are treated as unset tokens
- Unknown or mixed-case mode strings cause startup failure (no silent fallback)
When contributing to ProjectNestor:
- Validate all HTTP request input before processing
- Avoid buffer overflows and undefined behavior
- Run AddressSanitizer + UBSan (
just asan) and ThreadSanitizer (just tsan); both gate every PR in CI - Never commit secrets, API keys, tokens, or credentials
- Pin FetchContent dependency versions to known-good commits
For security-related questions that are not vulnerability reports:
- Open a GitHub Discussion with the "security" tag
- Email: 4211002+mvillmow@users.noreply.github.com
Thank you for helping keep HomericIntelligence secure!