CORTEX is primarily a documentation, template, and installer repository. Security-sensitive issues in this repository are any flaws that could reasonably cause unsafe repository operations, authority escalation, or misleading safety guidance when CORTEX is applied to another project.
Examples include:
- installer behavior that can write outside the intended target repository;
- guidance that materially weakens advisory-first defaults or branch-isolation rules;
- templates or adapters that encourage destructive actions outside the documented modes;
- distributed package artifacts that do not match the published source.
If the repository host provides private vulnerability reporting, use that channel. If private reporting is not available, do not open a public issue for an unpatched vulnerability. Report it through a private maintainer contact channel associated with this repository or the package distribution.
Include:
- the affected commit, tag, or package version;
- the files involved;
- a minimal reproduction;
- expected behavior;
- actual behavior;
- impact and any suggested mitigations.
Security fixes should be targeted at the latest public milestone first. Older snapshots may remain unsupported unless they are still the primary distributed package.
The following are not repository security issues by themselves:
- vulnerabilities inside a target project where CORTEX was applied;
- general hardening suggestions without a concrete exploit path;
- operator-authorized destructive actions that match the documented mode boundaries;
- disagreements with the CORTEX operating model that do not create a safety defect.