# Security Policy

## Supported Versions

Security fixes are applied to the latest release and the `main` branch.

## Reporting a Vulnerability

Do not open a public issue for an undisclosed vulnerability. Use the
repository host's private security-reporting feature when available, or contact
the repository owner privately. Include affected versions, impact, reproduction
steps, and any suggested mitigation. Maintainers should acknowledge a report
within seven days and coordinate disclosure after a fix is available.

## Deployment Baseline

MAESTRO can execute tools, browser actions, and optionally SSH commands. Treat
it as a privileged service:

- Keep the service bound to localhost until OAuth authentication is configured.
- Put internet-facing deployments behind a TLS reverse proxy.
- Set `safety.bash_sandbox: always` for multi-user deployments.
- Keep `MCP_ENCRYPTION_KEY`, OAuth secrets, SSH keys, and provider credentials
  outside the repository and rotate them after suspected exposure.
- Restrict `/metrics` with a bearer token or an explicit source-IP allowlist.
- Review enabled tools and integrations before granting access to untrusted users.