Skip to content

Security: tinyhumansai/tinychannels

Security

SECURITY.md

Security Policy

TinyChannels is a channel and messaging library for OpenHuman harness communication. Security-sensitive areas include message routing, transport adapters, channel identity, harness boundaries, event metadata, prompt or context payloads, and credentials passed through runtime context.

Report concerns to contact@tinyhumans.ai.

Supported Versions

TinyChannels is pre-1.0. Security fixes target the main branch until the project starts maintaining release branches.

Reporting A Vulnerability

Please do not open a public issue for a suspected vulnerability.

Report security concerns by emailing security@tinyhumans.ai with:

  • a description of the issue
  • affected versions or commits
  • reproduction steps or proof of concept
  • impact assessment
  • any suggested fix or mitigation

We will acknowledge reports as quickly as practical and coordinate disclosure before publishing details.

Scope

Examples of in-scope issues:

  • unintended cross-channel message leakage
  • unsafe handling of credentials or secrets
  • harness communication bypassing expected policy boundaries
  • incorrect channel identity or routing metadata
  • dependency vulnerabilities with a practical exploit path in TinyChannels

Examples generally out of scope:

  • low-quality model output by itself
  • unsafe workflows caused by downstream applications granting broad authority
  • vulnerabilities in downstream applications that use TinyChannels incorrectly

There aren't any published security advisories