Currently, only the latest version of AgentMem is receiving security updates.
| Version | Supported |
|---|---|
| 2.x.x | ✅ Yes |
| 1.x.x | ❌ No |
The AgentMem team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.
DO NOT open a public issue for security vulnerabilities.
Instead, please send an email to: security@agentmem.dev
Please include:
- A description of the vulnerability
- Steps to reproduce the issue
- Affected versions (if known)
- Potential impact
- Suggested mitigation (if any)
-
Acknowledgment (within 48 hours)
- You will receive an email acknowledging receipt of your report
- We may ask for additional information
-
Investigation (within 7 days)
- We will investigate the vulnerability
- We will determine the severity and impact
-
Resolution (varies by severity)
- We will develop a fix
- We will coordinate release with you
-
Disclosure
- You will be notified when the fix is released
- We will credit you in the release notes (unless you prefer anonymity)
Security updates will be:
- Released as patch versions (e.g., 2.0.1 → 2.0.2)
- Announced in the CHANGELOG.md
- Published on GitHub Releases with the "security" label
-
Keep Updated
- Always use the latest version
- Subscribe to GitHub Releases
- Monitor the CHANGELOG.md
-
Secure Configuration
use agent_mem::{Memory, Config}; let config = Config::builder() .with_encryption(true) // Enable encryption at rest .with_authentication(AuthConfig::default()) .build(); let memory = Memory::new(config).await?;
-
Input Validation
- Always validate user input before storing
- Sanitize data from untrusted sources
- Use parameterized queries to prevent injection
-
Access Control
- Implement proper RBAC (Role-Based Access Control)
- Use API keys for authentication
- Rotate credentials regularly
-
Code Review
- All security-related changes require 2 approvers
- Security-sensitive code must be documented
- Use
unsafesparingly and document why it's necessary
-
Dependency Management
- Keep dependencies up-to-date
- Review security advisories for dependencies
- Use
cargo auditregularly
-
Testing
- Include security tests in PRs
- Test for common vulnerabilities (injection, XSS, etc.)
- Use fuzzing for security-critical code
-
Secrets Management
- Never commit secrets to git
- Use environment variables for configuration
- Rotate secrets regularly
AgentMem includes several security features:
- SQLite database encryption support
- Configurable encryption keys
- Secure key storage via OS keychain
- API key authentication
- JWT token support
- OAuth 2.0 integration (enterprise)
- Role-based access control (RBAC)
- User/Agent isolation
- Multi-tenancy support
- Comprehensive audit trail
- Access logging
- Change tracking
Vulnerable:
// DON'T DO THIS
let query = format!("SELECT * FROM memories WHERE content = '{}'", user_input);Secure:
// DO THIS
let query = sqlx::query("SELECT * FROM memories WHERE content = $1")
.bind(user_input)
.fetch_all(pool)
.await?;Vulnerable:
// DON'T DO THIS
let path = format!("{}/{}", base_dir, user_input);Secure:
// DO THIS
use std::path::Path;
let path = Path::new(base_dir).join(user_input);
if !path.starts_with(base_dir) {
return Err("Invalid path".into());
}Mitigations:
- Rate limiting
- Request size limits
- Timeout enforcement
- Resource quotas
let config = Config::builder()
.with_max_request_size(10_000_000) // 10 MB
.with_rate_limit(RateLimit::per_minute(100))
.build();We use GitHub Dependabot and GitHub Actions to monitor dependencies:
- Dependabot: Automatically opens PRs for vulnerable dependencies
- Security Workflow: Runs
cargo auditon every PR - Monthly Reviews: Manual review of dependency updates
# Check for vulnerabilities
cargo audit
# Check for outdated dependencies
cargo outdated| Date | Auditor | Scope | Report |
|---|---|---|---|
| TBD | TBD | Core library, plugins, server | TBD |
If you're interested in sponsoring a security audit, please contact security@agentmem.dev
- Email: security@agentmem.dev
- PGP Key: [To be added]
- Security Policy: This document
Last updated: 2025-01-05