| Version | Supported |
|---|---|
| 1.6.x | ✅ |
| 1.5.x | ✅ |
| < 1.5 | ❌ |
If you discover a security vulnerability in M31 Autonomous, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email: eshanized@proton.me
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment within 48 hours
- Assessment within 7 days
- Fix or mitigation for confirmed vulnerabilities will be prioritized
- Credit will be given to reporters (unless anonymity is preferred)
M31 Autonomous is an AI coding agent that executes code and shell commands. By design, it requires trust in the LLM it uses. Key security features:
| Layer | Mechanism |
|---|---|
| Permission gating | Every Bash command gated: allow / allow always / deny, with configurable timeout and default ask mode |
| Rate limiting | Token bucket: 20 burst / 10 sustained for normal tools; 5 burst / 2 sustained for dangerous tools |
| Concurrency control | Max 8 concurrent tool executions via semaphore |
| Command blocklist | Dangerous command patterns blocked at the tool boundary (defense-in-depth) |
| Path traversal | Blocked at tool boundary; size limits (50MB per file read), stream-size caps |
| SSRF protection | WebFetch blocks private, loopback, and link-local IP addresses |
| DNS rebinding | WebSearch uses a DNS cache (5 min TTL) to prevent TOCTOU rebinding attacks |
| Edit safety | 7-strategy cascade with collision-safe backups |
| Subagent depth | Max nesting depth of 2 to prevent runaway agent spawning |
| Zero telemetry | No data is sent anywhere except your configured LLM provider |
- Use the default permission mode (
prompt) rather thanallowfor dangerous tools - Keep your LLM API keys secure — use a keychain when available
- Review tool outputs — the LLM can see file contents and command outputs
- Run in isolated environments — use containers or VMs for untrusted code