Skip to main content

Supported Versions

We release security updates for the following versions:
VersionSupported
0.x.x
Hive is currently in active development (0.x versions). We take security seriously and encourage responsible disclosure of any vulnerabilities.

Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

How to Report

Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please send an email to [email protected] with:
  1. A description of the vulnerability
    • Include the type of vulnerability (e.g., injection, authentication bypass, data exposure)
    • Specify which component is affected (core, tools, specific agent, etc.)
  2. Steps to reproduce the issue
    • Provide a clear, step-by-step guide to reproduce the vulnerability
    • Include any relevant code snippets, configurations, or payloads
    • Specify the environment (OS, Python version, Hive version)
  3. Potential impact of the vulnerability
    • Explain what an attacker could achieve
    • Assess severity (critical, high, medium, low)
    • Identify any data or systems at risk
  4. Any possible mitigations you’ve identified
    • Suggest temporary workarounds if available
    • Propose potential fixes if you have ideas

What to Expect

1

Acknowledgment

We will acknowledge receipt of your report within 48 hours.
2

Communication

We will keep you informed of our progress as we investigate and develop a fix.
3

Resolution

We aim to resolve critical vulnerabilities within 7 days.
4

Credit

We will credit you in our security advisories (unless you prefer to remain anonymous).

Safe Harbor

We consider security research conducted in accordance with this policy to be:
  • Authorized concerning any applicable anti-hacking laws
  • Authorized concerning any relevant anti-circumvention laws
  • Exempt from restrictions in our Terms of Service that would interfere with conducting security research
We value the security community’s efforts and will work with you to understand and resolve issues quickly.

Security Best Practices for Users

1. Keep Updated

Always run the latest version of Hive to benefit from security patches and improvements. 
# Update Hive
git pull origin main
uv sync

2. Secure Configuration

Review ~/.hive/configuration.json settings, especially in production: 
{
  "default_model": "claude-sonnet-4.5",
  "use_claude_code_subscription": false,
  "max_concurrent_executions": 5
}
  • Never commit configuration.json with sensitive values
  • Use environment-specific configurations
  • Restrict file permissions: chmod 600 ~/.hive/configuration.json

3. Environment Variables

Never commit sensitive files: 
# Add to .gitignore
.env
config.yaml
*.credentials
~/.hive/credentials

4. Credential Store Security

Hive includes an encrypted credential store at ~/.hive/credentials:
  • Encrypted at rest using cryptography library
  • Automatic encryption for all stored credentials
  • TTL-based caching (default 5 minutes)
  • Thread-safe operations
Use the credential store for API keys instead of environment variables in production:
hive setup-credentials

Credential Storage Backends

Hive supports multiple storage backends:

EncryptedFileStorage

Default: Encrypted local storage at ~/.hive/credentials
  • Best for: Local development
  • Security: Encrypted with local key

EnvVarStorage

Environment variable mapping
  • Best for: CI/CD pipelines
  • Security: Depends on environment security

HashiCorp Vault

Enterprise secrets management
  • Best for: Production deployments
  • Security: Enterprise-grade

InMemoryStorage

In-memory only (testing)
  • Best for: Unit tests
  • Security: Not persistent

5. Network Security

  • ✅ Use HTTPS for all external communications
  • ✅ Configure firewalls to restrict access
  • ✅ Use VPCs or private networks
  • ✅ Enable webhook secrets for authentication
  • ✅ Implement rate limiting

6. Database Security

If using database integrations (Postgres, BigQuery, etc.):
  • Use strong passwords (16+ characters, mixed case, numbers, symbols)
  • Limit network access to specific IPs or VPCs
  • Use read-only credentials when possible
  • Enable audit logging for sensitive operations
  • Regularly rotate credentials

7. Agent-Specific Security

Input Validation

# Define hard constraints for safety
Goal(
    constraints=[
        Constraint(
            description="Never access production database",
            type=ConstraintType.HARD,
            category="safety",
        ),
        Constraint(
            description="Only process emails from allowed domains",
            type=ConstraintType.HARD,
            category="scope",
        ),
    ]
)

Rate Limiting & Cost Controls

RuntimeConfig(
    max_concurrent_executions=5,  # Limit concurrent agents
    # Add cost tracking (roadmap item)
)

Human-in-the-Loop (HITL) for Sensitive Operations

# Require human approval for sensitive actions
NodeSpec(
    id="sensitive-action",
    system_prompt="""
    You are about to perform a sensitive operation.
    Request human approval before proceeding.
    """,
    # Agent will pause and wait for human input
)

Security Features

Hive includes built-in security features:

Environment-Based Configuration

No hardcoded secrets in code. All sensitive values loaded from:
  • Environment variables
  • Encrypted credential store
  • HashiCorp Vault (enterprise)
  • Pydantic-based validation on all inputs
  • Schema enforcement for API endpoints
  • Type checking at runtime
  • Session isolation prevents data bleed
  • Thread-safe state management
  • Automatic session cleanup
  • Configurable CORS for webhook server
  • Origin validation
  • Method restrictions
  • Configurable rate limits
  • Automatic retry with backoff
  • Tool-level rate limiting (many tools handle this automatically)
  • Secure token storage
  • Automatic token refresh
  • Revocation support

Known Security Considerations

Prompt Injection

LLM-based agents are potentially vulnerable to prompt injection attacks. Mitigate by:
  • Validating all user inputs before passing to LLM
  • Using goal constraints to limit agent behavior
  • Implementing HITL nodes for sensitive operations
  • Sandboxing agent execution (especially for code execution tools)

Tool Access Control

Agents have access to all tools defined in their MCP server configuration. Ensure:
  • Principle of least privilege: Only give agents tools they need
  • Separate tool sets for different agent types
  • Review tool permissions regularly

Credential Exposure in Logs

Be cautious of credentials appearing in logs:
  • Never log full API keys (use masking: sk-ant-****...****)
  • Review log levels before enabling DEBUG
  • Restrict log file access (permissions, location)
  • Rotate credentials if exposed

Security Roadmap

Upcoming security features:
  • Audit logging - Compliance and tracking
  • AWS Secrets Manager integration
  • Azure Key Vault integration
  • Per-environment configuration support
  • Enhanced guardrails SDK - Deterministic safety rules
  • Token usage tracking - Cost and quota monitoring

Security Resources

OWASP LLM Top 10

Security risks for LLM applications

MCP Security

Model Context Protocol security best practices

Python Security

Python security considerations

Docker Security

Docker security best practices

Questions?

For security-related questions that don’t involve active vulnerabilities:
For active vulnerabilities, please email [email protected] directly. Do not post in public channels.

Build docs developers (and LLMs) love

Get started for freeTalk to us