Version: v2.5.0
Last-Updated: 2025-10-09
| Version | Supported |
|---|---|
| 2.5.x | ✅ |
| 2.4.x | ❌ |
| 2.3.x | ❌ |
| < 2.3 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:
Security vulnerabilities should be reported privately to prevent exploitation.
Send details to: security@orchintel.com
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Based on severity (Critical: 24h, High: 7 days, Medium: 30 days, Low: 90 days)
- All operations are logged with structured JSON
- Sensitive data (tokens, emails) are automatically redacted
- Audit logs rotate based on size (~10MB) with SHA-256 integrity
- Immutable JSONL audit rotation policy with configurable size/time limits
- Hash-based integrity verification for all audit entries
- Provider-level data retention flags
- Automatic cleanup of sensitive data
- Configurable retention policies
- Agent trust verification via digital signatures
- Tenant isolation enforcement
- Manifest validation against schemas
- AES-256 encryption at rest for cold storage (feature-flagged)
- Configurable encryption key management via environment variables
- Pre/post-operation security checks
- Denial reasoning and audit trails
- Trust registry validation
- Never commit API keys or secrets to version control
- Use
.envfiles for local development (excluded from git) - Rotate keys regularly
- Validate all agent manifests against schemas
- Verify trust signatures before registration
- Enforce tenant isolation
- Use HTTPS for all external API calls
- Implement rate limiting for provider APIs
- Monitor for unusual access patterns
- API keys provide full access to provider services
- Monitor usage and implement spending limits
- Consider using provider-specific security features
- Audit logs may contain sensitive information
- Implement proper access controls for log files
- Consider encryption for audit log storage
- Verify tenant isolation in multi-tenant deployments
- Implement proper access controls between tenants
- Regular security audits of isolation mechanisms
Security updates are released as patch versions (e.g., 2.5.1, 2.5.2) and should be applied promptly.
- Applied immediately upon release
- May require service restart
- Include security patches and urgent fixes
- Applied within 30 days of release
- Include security improvements and bug fixes
- Backward compatible when possible
IOA Core is designed to support various compliance requirements:
- GDPR: Data retention controls and audit logging
- SOC 2: Comprehensive audit trails and access controls
- HIPAA: Secure handling of sensitive data (with proper configuration)
- Security Team: security@orchintel.com
- Maintainers: maintainers@orchintel.com
- Community: security-issues@orchintel.com
We thank security researchers and community members who responsibly report vulnerabilities. Contributors to security improvements are acknowledged in our docs/reference/CONTRIBUTORS.md file.