Two things on this page. First, how to disclose a security issue in ArgosBrain — channel, scope, response time. Second, an explicit positioning statement we wish more vendors made: ArgosBrain is a memory layer, not a replacement for the tools you already trust. We complement grep, Semgrep, CodeQL, SonarQube, and the rest of your security stack. We are not a substitute for any of them.
Email [email protected]. PGP encryption is supported on request — reply to your initial mail and we'll send the public key inline.
Please include: a clear description, steps to reproduce, the affected component (binary version, MCP server version, dashboard URL, or web property), and an impact assessment if you have one. If you've already drafted CVE-style metadata, attach it; otherwise we'll work it out together during triage.
What we want to hear about, what we'd rather you not file.
argosbrain, argosbrain-mcp, and argosbrain-manager binaries (any released version)argosbrain.com and app.argosbrain.com (the dashboard, install endpoints, license-token exchange)127.0.0.1:3733 (auth, CSRF, XSS, SSRF, RCE, path traversal)This is the part most vendors skip. We want it on the record. ArgosBrain is not a security scanner. It is a structural memory layer that the rest of your stack queries to make their findings durable, reachable, and queryable across sessions.
| Tool | What it does | What ArgosBrain adds |
|---|---|---|
| grep / ripgrep | Fast literal text search (comments, logs, non-code strings) | Structural lookup the same query can't answer — exact callers, blast radius, reachability |
| Semgrep | Pattern-based rule matching, AST-aware | Memory of where Semgrep findings touched code, surviving refactors and re-runs |
| CodeQL | Deep dataflow + taint analysis | Reachability cache + cross-session symbol map so the agent doesn't re-derive the call graph every prompt |
| SonarQube | Code quality, duplications, complexity hotspots | Structural neighborhood for every Sonar finding — what calls it, what it calls, who else touches the cluster |
| Snyk / Dependabot | Vulnerability scanning of dependencies | Trace from a CVE to every code path that imports the vulnerable symbol — supply-chain reachability |
| Tree-sitter / SCIP / LSP | Parsers and indexers we build on top of | In-memory graph that survives editor restarts and serves agents over MCP at sub-millisecond cost |
| Cursor / Claude Code / Codex | AI coding agents that consume code context | Persistent, deterministic memory layer they query via MCP — instead of re-grepping every turn |
If you find a security tool we should pair with and don't yet, tell us at [email protected]. The list above is the canonical pairing matrix and we update it as the ecosystem evolves.
If you make a good-faith effort to comply with this policy, we will:
Good faith means: no DDoS, no privacy invasion of other users, no degradation of service, and no exfiltration of data beyond the minimum necessary to demonstrate the issue. If your research requires touching production data or other users' codebases, stop and email us first.