The following versions of Adversarial Debate are currently supported with security updates:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing:
Use GitHub's private vulnerability reporting
This is the preferred method. The form will guide you through the process.
When reporting a vulnerability, please include:
- Description: A clear description of the vulnerability
- Impact: What an attacker could achieve by exploiting this vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Affected Versions: Which versions are affected
- Potential Fix: If you have suggestions for fixing the vulnerability
- Acknowledgment: Within 48 hours of report receipt
- Initial Assessment: Within 5 business days
- Status Updates: Every 7 days until resolution
- Resolution Target: Within 90 days for most vulnerabilities
- We follow coordinated disclosure
- We will work with you to understand and validate the issue
- We will develop and test a fix before public disclosure
- We will credit reporters in the security advisory (unless anonymity is requested)
Adversarial Debate is designed for security testing. The framework processes potentially malicious code, so security is paramount.
┌─────────────────────────────────────────────────────────────────┐
│ TRUSTED ZONE │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Config │ │ Agents │ │ Store │ │
│ │ System │ │ (LLM) │ │ (Beads) │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │ │ │ │
│ └──────────────────┼──────────────────┘ │
│ │ │
│ ┌───────┴───────┐ │
│ │ Sandbox │ │
│ │ (Execution) │ │
│ └───────┬───────┘ │
└────────────────────────────┼────────────────────────────────────┘
│
┌────────┴────────┐
│ UNTRUSTED ZONE │
│ │
│ - User Code │
│ - LLM Output │
│ - External I/O │
└─────────────────┘
| Threat | Mitigation |
|---|---|
| Code Execution Escape | Docker isolation, resource limits, process sandboxing |
| Path Traversal | Input validation, symlink detection, path canonicalization |
| Resource Exhaustion | Memory/CPU limits, timeout enforcement, input size limits |
| Injection Attacks | Input sanitisation, parameterised queries in store |
| Sensitive Data Exposure | API key hiding, secure temp file handling |
| Denial of Service | Rate limiting, resource limits, timeout handling |
The sandbox execution environment implements multiple layers of defence:
- Identifier Validation: Blocks dangerous Python builtins (
exec,eval,__import__, etc.) - Code Size Limits: Maximum 1MB of code input
- Input Size Limits: Maximum 10MB total, 1MB per value
- Path Validation: No symlinks, no directory traversal
Docker Mode (Recommended):
# Resource limits enforced
- Memory: Configurable (default 256MB)
- CPU: Configurable (default 1 core)
- Network: Disabled by default
- Capabilities: Dropped
- Read-only filesystem: EnabledSubprocess Mode (Fallback):
# setrlimit restrictions
- RLIMIT_AS: Virtual memory limit
- RLIMIT_CPU: CPU time limit
- RLIMIT_FSIZE: File size limit
- RLIMIT_NOFILE: Open file descriptor limit- Atomic Creation: Files created with
O_CREAT | O_EXCLflags - Secure Permissions: 0o600 (owner read/write only)
- Secure Random Names:
secrets.token_hex(16)for temp files - Automatic Cleanup: Temp files removed after execution
- SIGKILL Termination: Reliable process termination (not SIGTERM)
- Timeout Enforcement: Strict timeout with automatic kill
- Resource Monitoring: Memory and CPU usage tracking
- API keys are loaded from environment variables or secure config files
- Keys are never logged in plaintext
- Keys are never included in bead store entries
config.to_dict()automatically redacts sensitive values
- Read-only Intent: The bead store is append-only by design
- SQL Injection Prevention: All queries use parameterised statements
- FTS5 Safe Queries: Full-text search uses SQLite's built-in escaping
- File Permissions: Database files created with restricted permissions
# .env file should have restricted permissions
chmod 600 .env
# Never commit .env to version control
# Use .env.example as a template- Use Docker Mode: Always use Docker sandbox in production
- Network Isolation: Run in isolated network environment
- Resource Limits: Set appropriate memory/CPU limits
- Logging: Enable audit logging for compliance
- Access Control: Restrict who can run analyses
- Input Validation: Validate all code inputs before analysis
Avoid these configurations in production:
# DON'T: Disable sandbox
sandbox_config = SandboxConfig(enabled=False) # Dangerous!
# DON'T: Allow network access in sandbox
sandbox_config = SandboxConfig(network_enabled=True) # Risk of data exfiltration
# DON'T: Set unlimited resources
sandbox_config = SandboxConfig(
memory_limit_mb=0, # No limit - risk of resource exhaustion
timeout_seconds=0, # No timeout - risk of hanging
)- Store API keys in environment variables, not code
- Use Docker sandbox mode in production
- Set appropriate resource limits
- Run in an isolated environment
- Review findings before acting on them
- Keep the framework updated
- Never log sensitive data (API keys, tokens, credentials)
- Validate all inputs, especially file paths and code
- Use parameterised queries for database operations
- Follow the principle of least privilege
- Add security tests for new features
- Document security implications of changes
We thank the following individuals for responsibly disclosing security issues:
No security issues have been reported yet.