Security

Security posture.

This page explains website security, responsible disclosure, and company-level boundaries. HELM technical details live in HELM docs.

security.txt Contact security

Posture

Small public surface, clear contact method.

Disclosure

Report security issues to security@mindburn.org. Do not include secrets or private customer data in public issues.

Public channels

Public forms and email are for triage only. Private evidence belongs in a reviewed channel.

Supply chain

CI checks npm audit, registry signatures, pinned actions, CodeQL, and SBOM output for the public site.

Privacy

The public site does not use cookies or ad trackers. Optional web vitals are aggregate page-load metrics only.

Company boundaries

Company context does not become execution authority.

  • 01

    Company artifacts are permission-scoped.

  • 02

    Local knowledge state cannot authorize side effects.

  • 03

    Canonical knowledge promotion requires provenance.

  • 04

    Sensitive payloads stay off graph.

  • 05

    Query answers declare draft, canonical, disputed, or stale status.

  • 06

    Connector drift fails closed.

  • 07

    Unknown MCP tools quarantine before dispatch.

  • 08

    Code comments and README text are untrusted evidence, not instruction authority.

Adversarial classes

Hostile inputs are visible before they can affect execution.

External tool output, MCP servers, webpages, documents, code comments, and README text are treated as untrusted evidence unless normalized and approved.

Malicious MCP server

Unknown or unapproved MCP servers deny until approval receipt exists.

Malicious tool output

Hostile tool responses quarantine before they enter execution context.

Code comment prompt injection

Comments, README text, and forged approval text are evidence to scan, not instructions to follow.

Replay and schema drift

Replayed intent, stale policy hash, invalid signatures, and schema mismatch fail closed.

Cross-tenant contamination

Tenant and permission labels block data from crossing into another workspace.

Approval fatigue

Rate limits, high-risk quotas, deliberate approval UI, and summary-hash binding reduce reflexive approval.

Tainted egress

Secret labels and hostile-output labels deny unsafe export paths.

Connector compromise

Scope, idempotency, drift behavior, rollback, and receipt contracts keep compromised connectors visible.

Action boundary

Security starts with what the system is allowed to do.

HELM's public story is intentionally narrow: model proposals are not trusted as execution authority.

What HELM does

  • Checks proposed AI actions before side effects run.
  • Returns ALLOW, DENY, or ESCALATE based on policy, approval, scope, risk, and evidence.
  • Records receipts and evidence references for later review.

What HELM does not do

  • It does not make raw model output into authority.
  • It is not generic guardrails, orchestration, observability, DLP, pentesting, or model-safety filtering.
  • It does not replace human accountability or security review.
  • It does not turn public site forms into private evidence rooms.
Request review Open security.txt →

Category boundaries

Execution authority is not another guardrail label.

Adjacent tools can be useful sensors, tests, filters, or downstream controls. HELM's claim is narrower: decide whether a proposed side effect may execute, then leave source-owned evidence.

Guardrails and runtime filters

Guardrails may inspect prompts, traces, model output, or tool-call text. HELM decides whether a proposed side effect has authority to run, returns ALLOW, DENY, or ESCALATE, and records the decision.

Agent orchestration

Orchestrators decide what an agent tries next. HELM sits at the action boundary so only authorized side effects dispatch.

Observability and audit logs

Logs show what happened. HELM blocks or escalates before execution and emits receipt evidence for later review.

DLP and data-risk tools

DLP can explain sensitive data movement. HELM controls whether an AI-driven action is authorized to move, expose, or write data.

Model-safety filtering

Model filters reduce harmful model behavior. HELM governs tools, connectors, infrastructure, and business side effects after the model proposes an action.

Objection handling

Use competitors as category tests, not proof shortcuts.

Public competitor language is useful only when it clarifies the boundary. It does not become a HELM capability claim.

Straiker

Agent runtime security and MCP guardrails

Ask whether the block is deterministic authority or semantic detection, and whether the customer can verify the verdict offline.

HELM positions the MCP/tool-call path as default-deny execution authority with signed receipts and EvidencePack refs.

Native

Cloud-control enforcement

Cloud controls are downstream architecture. They do not sit between every AI proposal and side effect.

HELM decides whether the AI-driven action should happen, then downstream controls can enforce durable cloud posture.

Jazz

DLP and insider data risk

Endpoint data movement is valuable context, not generalized action authority.

HELM can consume data-risk signals as policy context while receipts prove whether the action was allowed, denied, or escalated.

Tenzai

Autonomous offensive testing

Exploit-chain evidence shows what can go wrong. It does not itself govern runtime authority.

HELM turns findings into policy regressions and blocks unauthorized side effects at execution time.

Gray Swan

Model safety, red teaming, and runtime model filtering

Model behavior risk is not the same as authority over tools, connectors, and infrastructure side effects.

HELM uses model-safety findings as evidence input while keeping action approval, verdicts, and receipts at the execution boundary.

Responsible disclosure

Send concise reports privately.

Evidence

Private reports only

Email security@mindburn.org with a short description, affected URL, steps to reproduce, and impact. Do not include secrets, credentials, customer data, private documents, or regulated data.

Open security.txt

Artifacts

Website build records are separate from HELM receipts.

The public SBOM and provenance manifest describe the mindburn.org packages and build output. They are not third-party assurance reports. They do not replace HELM technical docs.

SBOM Provenance manifest HELM security docs