Security

Please do not report security vulnerabilities through public GitHub issues, Discussions, or social media.

How to report

1. Email — security@mythos-agent.com
2. GitHub private vulnerability reporting — file a private advisory

Service-level targets

• Acknowledgment: within 48 hours
• Triage: within 5 business days
• Fix or mitigation: within 14 days for critical/high, 30 days for medium/low
• Public disclosure: after fix is released, on a timeline agreed with the reporter

What to include

• Description of the vulnerability
• Steps to reproduce
• Potential impact and severity assessment
• Suggested fix (optional)
• Disclosure timeline expectations

Scope

The full policy — covered components, out-of-scope items, threat model, EU CRA stance, and bug bounty posture — lives at SECURITY.md.

Last updated: 2026-04-20.