If you discover a security vulnerability in the clarethium-touchstone library, please do NOT open a public GitHub issue. Instead, contact the editor body privately.
Contact: open a GitHub Security Advisory at https://github.com/Clarethium/touchstone/security/advisories/new
You can expect:
- Acknowledgement within 7 days
- Initial assessment within 14 days
- Coordinated disclosure timeline based on severity
In scope:
- The
clarethium-touchstonelibrary code - The library's dependency declarations (
pyproject.toml) - The CI/CD workflows that build and (eventually) publish releases
- The Touchstone Standard's threshold values and reference test cases (a security issue here would be: a threshold or test case that would allow malicious content to evade detection)
Out of scope:
- Library behavior on adversarial AI outputs designed to evade structural detection. The Standard documents known gaming vectors (Section 9 of the methodology); evasion of structural detection by design is a research problem, not a security vulnerability.
- Third-party AI tools or APIs the library integrates with (e.g., Gemini for Layer 1a)
- Misuse of the library for purposes outside its intended scope
Pre-1.0: only the latest 0.x release is supported.
Post-1.0: the latest minor version on each supported major version is supported. Older versions receive critical security fixes for 12 months after a new major version ships.
The library is designed to operate offline (Layers 1b, 1c, 2-7, 9, 10, 11) without making network requests. Optional Gemini integration (Layer 1a, semantic alignment Layer 5) makes outbound API calls only when explicitly enabled.
The library does not handle authentication, secrets, or persistent storage. Users are responsible for securing API keys and managing data the library processes.
The Standard explicitly notes (Section 9 of methodology) gaming vectors that humans aware of the implementation can exploit. Treat substrate output as one input to a quality decision, not the only input.
Vulnerabilities are disclosed via GitHub Security Advisories. Patches ship as point releases.
Credit is given to reporters who choose to be acknowledged.