Microsoft takes the security of our software products and services seriously, which includes all source code repositories in our GitHub organizations.
Please do not report security vulnerabilities through public GitHub issues.
For security reporting information, locations, contact information, and policies, please review the latest guidance for Microsoft repositories at https://aka.ms/SECURITY.md.
Do NOT open a GitHub issue for security vulnerabilities.
Report through the Microsoft Security Response Center (MSRC):
Include: description, reproduction steps, impact assessment, suggested mitigations.
We acknowledge receipt within 24 hours and respond within 72 hours.
Nine independent defense-in-depth layers, all active by default:
- Azure Infrastructure — NSG, AKS API server IP allowlist, DDoS protection
- Azure Linux — SELinux-enforcing nodes, automatic security patching
- Kata VM (confidential) — per-pod dedicated kernel
- Container Hardening — read-only rootfs, non-root (UID 1000), drop ALL capabilities
- Kernel Confinement — custom seccomp profile (
kars-strict) with a deny-by-default syscall allowlist - Network Segmentation — iptables UID-based egress + egress proxy with allowlist/learn mode + a large domain blocklist (tens of thousands of entries; see
blocklists/) - Inference Safety — Content Safety + Prompt Shields (Foundry-side guardrails, parsed from model responses) + per-sandbox token budgets
- AGT Governance — PolicyEngine (YAML rules) gates tool execution pre-call, TrustManager (Ed25519-signed scoring), SHA-256 Merkle audit chain, RateLimiter, BehaviorMonitor. Denies sensitive file access, recon tools, cloud metadata, destructive commands.
- E2E Encrypted Mesh — Signal Protocol (X3DH + Double Ratchet), KNOCK trust handshake, per-message forward secrecy via AgentMesh relay/registry
See docs/security.md for the full breakdown.
| Version | Supported |
|---|---|
| 0.x (alpha) | Best-effort |
Patches released as soon as possible after verification. Subscribe to GitHub releases.