Responsible disclosure

Security Policy

We take security seriously. If you discover a vulnerability in Admina, please report it responsibly so we can address it before public disclosure.

Supported versions

Security fixes are applied to the latest stable release. We strongly recommend always running the most recent version of Admina.

Version Supported
v0.9.x (latest, pre-1.0) โœ“ Active

How to report a vulnerability

Please do not open a public GitHub issue for security vulnerabilities. Instead, use one of the following private channels:

โš‘
GitHub Private Advisory
Preferred method. Submit a private security advisory directly on GitHub โ€” encrypted, tracked, and coordinated.
โ†’
โœ‰
Email
Send a detailed report to info@admina.org. Encrypt with our PGP key if possible (available on GitHub).
โ†’

What to include in your report

  • A clear description of the vulnerability and its potential impact
  • Steps to reproduce (proof of concept, if available)
  • Affected version(s) and configuration
  • Any suggested mitigations or patches

The more detail you provide, the faster we can triage and patch.

Our commitment to you

โฑ
48-hour acknowledgement

We will acknowledge receipt of your report within 48 hours.

๐Ÿ”
Initial assessment within 5 business days

We confirm, classify, and determine severity within five business days.

๐Ÿ› 
Fix timeline within 10 business days

We communicate a concrete fix timeline within ten business days of acknowledgement.

๐Ÿ…
Credit

With your permission, we credit you in the release notes and security advisory.

๐Ÿ“ข
Coordinated disclosure

We coordinate timing with you before publishing the advisory and ask for reasonable time to release a fix.

Scope

In scope for security reports:

  • Prompt injection bypass (Agent Security domain)
  • PII leakage through redaction bypass (Data Sovereignty domain)
  • Hash chain tampering or forgery (Compliance domain)
  • Authentication bypass (ADMINA_API_KEY validation)
  • The Admina proxy (admina/ Python package) and the Rust core engine (admina_core)
  • Dependency vulnerabilities with known exploits

Out of scope: the admina.org website itself and third-party dependencies without known Admina-specific exploits (report those upstream).

Safe harbour

We consider good-faith security research to be authorized and will not pursue legal action against researchers who follow this policy. We ask that you avoid accessing or modifying data belonging to other users, disrupting production systems, or publicly disclosing before the coordinated disclosure window has elapsed.

This policy is inspired by OWASP Vulnerability Disclosure best practices. View our full SECURITY.md on GitHub.