Report privately to: security@forge-theory-labs.local
Include:
- description
- reproduction steps
- affected repos
- impact assessment
Do NOT:
- open public issues
- disclose on social media
- publish exploit details
- create public forks showing the issue
Security applies to all Wave A–E repositories:
- cognitive systems
- trading intelligence
- robotics
- infrastructure
- emergence & simulation engines
- preserve deterministic behaviour
- no global mutable state
- no untyped or ambiguous interfaces
- no unnecessary dependencies
- no hidden network calls
- no uncontrolled filesystem side effects
Allowed:
- zero-dependency implementations
- standard library
- necessary cryptographic primitives
Not allowed:
- unreviewed third-party libraries
- unclear licensing
- ambiguous behaviour
- telemetry or analytics
Never commit:
- API keys
- tokens
- passwords
- private keys
- environment secrets
If leaked:
- rotate immediately
- purge from Git history
- notify maintainers
- no unsafe defaults
- no unbounded motor commands
- no unverified sensor loops
- kill-switch logic required
- hardware assumptions must be validated
- no unbounded order placement
- no silent fallback to real funds
- no ambiguous strategy behaviour
- deterministic, auditable logic only
- no unbounded memory growth
- no infinite loops without break conditions
- no runaway GPU/CPU behaviour
- simulators must remain stable under load
0–24h: acknowledge
1–7d: reproduce & classify
7–30d: patch & validate
30+d: public disclosure (if applicable)
Security decisions follow:
- semantic correctness
- ecosystem coherence
- long-term stability
- minimal attack surface
- deterministic behaviour