The CoReason.AI unified monorepo takes a zero-trust, mathematically grounded approach to security. This document outlines our security support policies, vulnerability reporting procedures, and the specific threat models in scope for our pure-Rust engine and React sensory UI.

Currently, we provide security updates for the following versions:

We deeply appreciate the security research community's efforts in keeping our platform secure. If you discover a vulnerability, please do not report it by creating a public GitHub issue.

Instead, report all security vulnerabilities directly to our security team via email: 📧 security@coreason.ai

To help us quickly triage and remediate the issue, please include:

1. Description: A clear description of the vulnerability and its potential impact.
2. Component: The specific crate (core, engine, trust, codegen, server) or frontend package (sensory-core) affected.
3. Reproduction: Step-by-step instructions or a Proof of Concept (PoC) to reproduce the vulnerability.
4. Environment: Information about the environment where the vulnerability was observed (e.g., Rust version, OS, browser).

You should receive an initial acknowledgment from our team within 48 hours. We will keep you updated as we investigate and remediate the issue.

Because this monorepo consolidates previously distributed services, the security boundary is heavily dependent on internal crate encapsulation. We are particularly interested in reports concerning the following vectors:

This crate executes untrusted or dynamically generated logic.

• In Scope: WASM sandbox escapes, memory leaks across execution boundaries, or violations of computational determinism.
• In Scope: Capability allocator bypasses resulting in unauthorized resource consumption.

This crate handles all identity management, token verification, and state persistence.

• In Scope: URN forgery, JWT/SPIFFE claim manipulation, or HashiCorp Vault transit bypasses.
• In Scope: Tampering with thermodynamic cost trackers or epistemic ledger states.

This crate serves as the Axum-based API gateway.

• In Scope: Authentication bypasses, malformed request crashes (DDoS vectors), or failure to correctly inject crates/trust validations into crates/engine workers.

This crate compiles schemas and generates cross-language bindings.

• In Scope: Arbitrary code execution during the build process, malicious SDK type-generation, or topological validation bypasses.

This repository is designed to be highly compatible with autonomous AI coding agents. To prevent supply chain attacks or prompt-injection vulnerabilities via automated scaffolding:

• All agent-generated code must pass through strict compilation and type-checking guillotines before being merged.
• Vulnerabilities caused by AI-agent hallucinations that bypass crates/trust authorization checks are considered highly critical.