The Daydreams team takes the security of our software seriously. If you believe you have found a security vulnerability in Daydreams, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

Please DO NOT file a public issue for security vulnerabilities. Instead, please report them privately by emailing:

📧 [email protected]

To help us better understand the nature and scope of the possible issue, please include as much of the following information as possible:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it
• Any special configuration required to reproduce the issue

When you report a security issue, here's what happens:

1. Acknowledgment: We'll acknowledge receipt of your report within 48 hours
2. Investigation: Our security team will investigate the issue
3. Fix Development: We'll work on a fix for confirmed vulnerabilities
4. Coordination: We'll coordinate with you on the disclosure timeline
5. Release: We'll release the fix and publish a security advisory
6. Credit: We'll credit you for the discovery (unless you prefer to remain anonymous)

When using Daydreams, we recommend following these security best practices:

• Never commit API keys to version control
• Use environment variables for sensitive configuration
• Rotate keys regularly
• Use separate keys for development and production

• Limit agent permissions to only what's necessary
• Review agent actions before deploying to production
• Use read-only access when write access isn't needed
• Implement rate limiting for agent actions

• Verify contract addresses before interacting
• Use checksummed addresses
• Implement transaction limits
• Add confirmation steps for high-value transactions
• Test thoroughly on testnets first

• Encrypt sensitive data in memory stores
• Implement access controls for memory systems
• Regular cleanup of unnecessary data
• Audit logs for all data access

Daydreams is currently in alpha. This means:

• The API may change without notice
• There may be undiscovered vulnerabilities
• Not recommended for production use with real funds
• Always use testnets for development

• We regularly update dependencies
• Security vulnerabilities in dependencies are addressed promptly
• Use pnpm audit to check for known vulnerabilities

Before deploying a Daydreams agent:

• All API keys are stored securely
• Agent permissions are minimized
• Transaction limits are implemented
• Error handling doesn't expose sensitive information
• Logging doesn't include sensitive data
• All inputs are validated
• Rate limiting is configured
• Monitoring and alerting are set up
• Recovery procedures are documented
• Code has been reviewed by another developer

• Subscribe to security advisories on our GitHub repository
• Update regularly to get the latest security patches
• Monitor our Discord for urgent security announcements
• Follow @daydreamsagents for updates

• OWASP Smart Contract Top 10
• Ethereum Smart Contract Best Practices
• Solana Security Best Practices

We appreciate the security research community and all the researchers who help keep Daydreams and our users safe. Thank you!

Last updated: November 2024