Skip to content

Security: aws/n8n-nodes-agentcore

Security

SECURITY.md

Reporting Security Issues

We take all security reports seriously. If you believe you have found a security issue in this project, please report it as described below. Do not create a public GitHub issue for security vulnerabilities.

Reporting a vulnerability

Please report security issues to AWS Security via aws-security@amazon.com, or directly via the AWS Vulnerability Reporting page.

Include the following in your report:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce, or a proof-of-concept
  • The version of n8n-nodes-agentcore affected
  • Your n8n version and deployment environment (self-hosted, Docker, etc.)
  • Any known mitigations or workarounds

Please do not include sensitive data (credentials, customer PII, production URLs) in the report body. If you need to share sensitive reproduction data, indicate that in your initial report and we will coordinate a secure channel.

Response process

  • We will acknowledge receipt within 3 business days
  • We will provide an initial assessment within 7 business days
  • For confirmed issues, we will coordinate a fix and disclosure timeline with the reporter
  • Fixes will be released as a patch version on npm with a corresponding GitHub Security Advisory

Scope

In scope:

  • Vulnerabilities in the n8n-nodes-agentcore package code, its credentials handler, or its interaction with the AWS SDK
  • Credential leakage, improper session handling, insecure defaults in the node
  • Supply chain concerns about the published npm artifact

Out of scope:

  • Vulnerabilities in n8n itself — please report those to n8n's security process
  • Vulnerabilities in Amazon Bedrock AgentCore — please report via the AWS Vulnerability Reporting page
  • Vulnerabilities in third-party MCP servers, tool providers, or foundation models invoked through this node — please report to the respective vendors
  • Issues in user-authored n8n workflows that happen to use this node

Safe harbor

AWS considers good-faith security research to be authorized activity that is protected. For details, see the AWS vulnerability disclosure policy.

Thanks

We appreciate the security community's efforts. Reporters who follow this process and help us ship a fix will be credited in the advisory (unless they prefer to remain anonymous).

There aren't any published security advisories