Silas runs LLM agents with operational access to network and security infrastructure. That access is the product — and the attack surface. This page describes our threat model, what is built today, what is in flight, and how to report a vulnerability.
We are transparent about gaps. Every item labeled Gap on this page is tracked by a public implementation epic in YouTrack. We do not claim SOC 2, ISO 27001, or FedRAMP. When we do, it will appear here.
| Area | Status | Notes |
|---|---|---|
| NATS hub ↔ leaf mTLS + NKey (Ed25519) authentication | Shipped | Challenge-response; per-install client certs |
| Gandalf knowledge capsules encrypted at rest (age) | Shipped | Capsule signing in flight (P1) |
| Ed25519-signed built-in prompts | Shipped | Immutability guards, hot-swap reload |
| CI security scanning: CodeQL, Bandit, Semgrep, TruffleHog, Trivy, OSSF Scorecard, SBOM (CycloneDX) | Shipped | Per repo, blocking on merge |
| Output sanitization & redaction at MCP boundary | Shipped | API keys, tokens, JWTs, SSH keys, optional IPs |
| 1Password runtime credential resolution | Shipped | In-memory only; never persisted |
| Automated incident reporting on unhandled exceptions | Shipped | Ticketed into internal tracker |
| IAA target architecture (Identity / AuthN / AuthZ / Non-repudiation) | In Progress | Target design documented; enforcement gaps below |
| Gandalf capsule signatures | In Progress | Epic P1 — Phase 5 of Gandalf |
Credential at-rest encryption (credentials.json, NKey seeds) | Gap | Epic P2 — fix landing this quarter |
| Release binary signing + SLSA attestation | Gap | Epic P3 — Sigstore/Cosign |
| Service token hardening (current: XOR+base64 in CLI binary, decompilable) | Gap | Epic P4 — per-install keychain-stored token |
| Tenant isolation enforced at API layer | Gap | Epic P6 — tenant_id field not yet validated on read/write |
| Active cross-platform sandboxing (Linux/macOS/Windows) | Partial | macOS active; Linux partial; Windows Gap — Epic P8 |
| Public vulnerability disclosure program | Launching | Epic P9 — [email protected] + SLAs below |
Silas's threat model is framed against MITRE ATLAS — the AI-system counterpart to ATT&CK. We enumerate adversary classes, trust boundaries, and per-threat mitigations with explicit severity ratings. Residual risk is named, not hidden.
View the full threat model →
Every Silas install receives a unique install_id and an Ed25519 NKey seed at activation.
NATS leaf connections authenticate via challenge-response (no passwords on the wire) and enforce mTLS with
per-install client certificates issued by a Silas-operated CA.
Subject permissions are scoped per install — silas.{install_id}.logs.*,
silas.{install_id}.trace.*, and tenant-scoped Hive subjects.
Admin endpoints require a separate NKey + TLS bundle.
License tiers (trial / pro / enterprise / internal) gate feature access and determine credential-provisioning scope (shared vs. per-tenant 1Password vaults).
| Data class | Leaves device? | Retention |
|---|---|---|
| Prompt content | Yes — to LLM provider (BYOK) | Provider-defined; Silas doesn't store by default |
| MCP tool I/O (traces, logs) | Sanitized → NATS hub if enabled | 7d traces / 30d logs |
| Vendor credentials | No — resolved from vault / env, in memory only | Session duration |
| Install identity | Yes — to gateway (activation + heartbeat) | Until deletion request |
| Usage telemetry | Opt-in (SILAS_TELEMETRY=true; off by default) | 90d aggregated |
| Debug artifacts | Only on explicit silas support bundle | With support ticket lifecycle |
Output sanitization is on by default and redacts API keys, Slack/GitHub/JWT tokens, SSH private keys, and (optionally) IP addresses
before anything leaves the leaf. Primary data region: GCP us-central1.
main push for silas-core; attached to releasesuv.lock, Cargo.lock, pnpm-lock.yaml)Silas ships deny-by-default on the dimensions that matter. Everything below is the factory setting — tenant admins can add to allowlists, never subtract from deny lists.
preferences.toml ships with empty trusted_paths and empty shell allowrm -rf /, curl … | sh, mkfs, dd, fork-bomb) — cannot be overriddenweb_fetch blocks RFC1918, link-local, loopback, 169.254.* by default; DNS pinning prevents rebindingSILAS_TELEMETRY) defaults to offSILAS_SANITIZE_MCP_OUTPUTS) defaults to on; fails closed on errorSILAS_ALLOW_UNSIGNED_PROMPTS=false)Services Silas uses. BYOK LLM providers are customer relationships and not subprocessors of Silas.
| Service | Purpose |
|---|---|
| Google Cloud Platform | Cloud Functions, Cloud Run, GCS, Firebase Hosting, ClickHouse (GCE), BigQuery |
| 1Password | Customer credential vault, runtime-resolved via service account |
| GitHub | Source hosting, Actions runners, Security Advisories, Dependabot |
| Mailtrap | Transactional email (signup, verification, admin notifications) |
| Twilio (optional) | SMS admin alerts for registration approval |
| NATS.io (self-hosted on GCP) | Message bus for traces, logs, Gandalf distribution |
| Milvus (self-hosted) | Vector DB backing local Gandalf queries |
Report security issues to [email protected]. Please do not file public GitHub issues for security reports — public issues accelerate exploitation.
Good-faith research on in-scope assets is safe-harbored. Avoid privacy violations and service disruption, interact only with accounts you own or have permission for, report promptly, and hold disclosure until coordinated.
| Issue | Severity | Fix status |
|---|---|---|
| Service token XOR+base64 encoded in CLI binary (decompilable) | Critical | Epic P4 — rotate & re-provision on fix |
credentials.json plaintext at rest | High | Epic P2 — Enterprise tier should use 1Password-only until fixed |
| Gandalf passphrase deterministic from public machine info | High | Epic P5 — not exploitable remotely; requires disk access |
| No release binary signing | High | Epic P3 — verify checksums at silas.netsecdev.ai/download/latest.json |
| Tenant isolation not enforced at API layer | High | Epic P6 — single-tenant deployments unaffected |
Bug bounty program is not yet operational. Researchers reporting the above already receive credit on request but do not currently qualify for payment.