Security Policy

Security Policy

Supported Versions

Version	Supported
0.44.x (latest)	Yes
< 0.44	No — please upgrade

Reporting a Vulnerability

Do not open a public GitHub issue. Email:

security@cortexprism.io

Include:

• Description of the vulnerability and impact
• Steps to reproduce
• Affected versions
• Suggested mitigations

Response Timeline

Timeline	Action
Within 48 hours	Acknowledgment of report
Within 7 days	Initial assessment and severity classification
Within 30 days	Patch developed and tested
On fix release	Public disclosure with credit

We follow responsible disclosure.

Security Architecture

See the Security page for details on:

• Parallax Policy Validator with regex allow/deny rules
• LLM Security Supervisor — 3-layer access control (classification → LLM review → human approval)
• AES-256-GCM Vault with PBKDF2 key derivation
• Cortex Lens audit log — append-only, 35+ event types
• Sandbox isolation — Docker/gVisor containers with resource limits
• No telemetry policy — all data stays on your machine

Known Limitations

• Policy validator operates on intent strings — best-effort filter, not OS-level sandboxing
• LLM prompt injection through untrusted content is a risk — review tool approvals carefully
• Subprocess code execution has no container isolation — use Docker/gVisor for untrusted code
• LLM supervisor adds latency (~200-500ms) and token costs per sensitive data access

Dependency Auditing

deno run --allow-net https://deno.land/x/deno_audit/main.ts

Report outdated or vulnerable dependencies via the private email channel above, or as a regular GitHub issue if the vulnerability is already public.