CosmicSec-Lab takes the security of our platform and ecosystem extremely seriously. We are an open-source cybersecurity project, and we welcome security researchers to audit our codebase and report any vulnerabilities they find.

Currently, we are in active beta development. We provide security patches for the main branch across all our repositories.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them directly to our security team via email: security@cosmicsec.org

To help us triage and fix the vulnerability quickly, please include:

1. Description of the vulnerability (e.g., XSS, SSRF, SQLi).
2. Affected Repository (e.g., cosmicsec-core, cosmicsec-web).
3. Steps to reproduce the issue (Proof of Concept scripts or screenshots are highly appreciated).
4. Potential impact if the vulnerability is exploited.

We will acknowledge your report within 48 hours, and we will keep you updated as we work on a fix.

We are actively setting up a formalized Bug Bounty program. In the meantime, while we cannot offer monetary rewards right now (we are a non-profit), we will gladly:

1. Credit you in our Security Advisories and Release Notes.
2. Provide a letter of recommendation or endorsement for your portfolio.
3. Send you exclusive CosmicSec-Lab contributor swag (if applicable).

Thank you for helping keep the CosmicSec ecosystem safe!