Synapse Context Engine (SCE) is currently in alpha research status (v0.2.1-alpha). While we take security seriously, this project is not yet recommended for production use with sensitive data.

DO NOT open public issues for security vulnerabilities.

Instead, please report security issues privately:

1. Go to the Security tab
2. Click "Report a vulnerability"
3. Fill out the form with details

Email: [Your security contact email]

Subject line: [SECURITY] SCE Vulnerability Report

Please provide:

• Description: Clear explanation of the vulnerability
• Impact: What an attacker could achieve
• Steps to Reproduce: Detailed reproduction steps
• Affected Versions: Which versions are impacted
• Suggested Fix: If you have ideas (optional)
• Disclosure Timeline: Your expectations for public disclosure

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix & Disclosure: Depends on severity (typically 30-90 days)

SCE operates primarily in local-first environments:

• Web: Runs in browser with no backend
• Desktop: Tauri app with local file system access
• Data: Stored locally (no cloud sync by default)

Risk: Malicious nodes or edges could be injected through user input
Status: Basic sanitization implemented
Mitigation: Input validation on entity creation

Risk: Large graphs could cause memory issues
Status: No hard limits enforced
Mitigation: Monitor graph size, implement pruning

Risk: Carefully crafted queries could trigger unintended memory retrieval
Status: Under research
Mitigation: Activation thresholds provide some protection

Risk: Sensitive data stored in browser localStorage/IndexedDB
Status: No encryption at rest
Mitigation: Users should not store sensitive data in alpha version

Risk: Tauri app has limited file system access
Status: Scope-limited by Tauri permissions
Mitigation: Review src-tauri/tauri.conf.json permissions

As an AI safety-focused project, we welcome security research including:

• ✅ Memory manipulation attacks
• ✅ Adversarial query patterns
• ✅ Graph poisoning techniques
• ✅ Contradiction injection
• ✅ Privacy leakage through graph structure
• ✅ Resource exhaustion attacks
• ✅ Hebbian learning exploitation

• ❌ Social engineering
• ❌ Physical attacks
• ❌ Attacks requiring local system compromise
• ❌ Third-party dependencies (report to upstream)

We follow a coordinated disclosure model:

1. Report vulnerability privately
2. Work with us on a fix
3. Public disclosure after patch release
4. Recognition in security advisory (if desired)

We recognize security researchers who help improve SCE:

No reports yet — be the first!

Web Version:

• Don't store sensitive/personal data during alpha
• Use incognito mode for testing with real data
• Clear browser storage after sessions

Desktop Version:

• Review file permissions before building
• Don't grant unnecessary system access
• Keep application updated

Development:

• Don't commit API keys or credentials
• Use environment variables for sensitive config
• Review dependencies regularly (npm audit)

• Run npm audit before submitting PRs
• Sanitize all user inputs
• Validate graph operations
• Document security implications of changes
• Use TypeScript strict mode
• Avoid eval() and Function() constructors

Security patches will be:

• Released as priority updates
• Documented in release notes
• Announced in repository discussions
• Tagged with security label

Subscribe to repository releases to stay informed.

• Adversarial Robustness Toolbox
• AI Safety Reading List
• OWASP Machine Learning Security

• Graph Database Security Best Practices
• Knowledge Graph Attacks

• Security Issues: Use GitHub Security Advisories (preferred)
• General Security Questions: GitHub Discussions
• Maintainer: Lasse "Sasu" Sainia - sasus.dev

Thank you for helping keep SCE and the community safe! 🛡️