Security

Security policy.

How to report vulnerabilities, what we consider in-scope, and the hardening checklists we recommend for site operators and agent runtimes.

Reporting vulnerabilities

If you discover a security issue in AHTML, please do not open a public GitHub issue. Instead, email rdibbayajyoti@gmail.com.

We respond within 72 hours and aim to ship fixes within 14 days for critical, 30 days for high, and 90 days for medium and below.

Supported versions

Version	Supported
v0.1.x	active
< v0.1	—

We support v0.x lines for 6 months after the next major release.

Threat model

AHTML is infrastructure for declaring what a page contains and what actions are available on it. Action execution is your existing backend's concern. The integrity of AHTML's declarations is the v0.2 signing concern.

In-scope threats

Threat	Mitigation
Tampering in transit	v0.2: signed snapshots (JWS over canonical JSON, did:web)
Malicious site serving fake AHTML	v0.2: agent SDK rejects unsigned snapshots in strict mode
Replay of stale snapshots	`ttl` + `fetched_at` + ETag
Agent firing irreversible / costly actions	Action contract: `confirmation`, `reversible`, `side_effects`
Unbounded snapshot fetches (DoS)	`policy.rate_limit` enforced per source
Information disclosure via snapshot	Site owner controls `buildSnapshot` output
Polluted route discovery	`/.well-known/ahtml.json` as trusted entry point

Out of scope

Concerns of your existing stack, not AHTML: prompt injection of the agent, auth/authz, CSRF on action endpoints, SQLi/XSS in your app, and compromise of the agent's identity material.

Hardening checklist — site operators

Set policy.agents_welcome: false if you want zero agent traffic — or simply don't install the plugin.
Set policy.rate_limit to a value your origin can serve. Default 300/min is sane.
Set policy.contact to a monitored channel.
For action endpoints, require auth: 'required'.
Set confirmation: 'required' on any action that costs money, sends to third parties, or deletes data.
Never put PII, secrets, or internal IDs in snapshot fields.
Log all calls to /ahtml/* and action endpoints.
v0.2: sign snapshots against a did:web identity at your domain.

Hardening checklist — agent runtimes

Honor confirmation: 'required'. Don't fire without explicit user consent.
Honor reversible: { reversible: false }. Treat as confirmation: required.
Honor policy.rate_limit. Back off on 429.
Verify signatures (v0.2). Refuse unsigned snapshots when your threat model requires.
Check freshness and ttl. Don't act on stale data.
Use preview_url for dry-run when available.
Identify yourself via User-Agent.

Public disclosures

Resolved security issues are listed in CHANGELOG.md and GitHub Security Advisories. CVE assignment via the GitHub CNA.

Email security@Contact