Currently, we provide security updates for the following versions of BMW Agents:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security vulnerabilities seriously. If you discover a security issue in the BMW Agents framework, please follow these steps:
- Do not disclose the vulnerability publicly until it has been addressed by the maintainers.
- Submit a report to the project maintainers by opening an issue labeled "[SECURITY]" with a clear description of the issue.
- Include relevant information such as:
- Type of vulnerability
- Affected components or functionality
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
When a security vulnerability is reported, the maintainers will:
- Acknowledge receipt of the vulnerability report within 48 hours
- Assess the vulnerability and determine its scope and severity
- Develop and test a fix
- Release a patched version as soon as possible
When using BMW Agents, consider these security best practices:
- API Keys: Store API keys and credentials securely. Never hardcode them in your application code.
- Tool Permissions: Be mindful of the permissions granted to tools used with agents. Tools should follow the principle of least privilege.
- Input Validation: Validate and sanitize all inputs, especially user-provided content that might be used in prompts.
- Content Filtering: Implement appropriate content filtering for agent outputs when deployed in public-facing applications.
- Regular Updates: Keep your BMW Agents installation up to date with the latest security patches.
Be aware of security implications in dependencies:
- LLM Providers: Review the security policies of any LLM provider you're using with BMW Agents
- Third-party Tools: Ensure any third-party tools integrated with your agents are properly vetted for security issues
We follow a coordinated disclosure approach. Once a vulnerability is fixed, we will publish security advisories with appropriate credits to the reporter.