Do not open a public issue for security vulnerabilities.

Email security@fozikio.com or use GitHub's private vulnerability reporting with:

• Description of the vulnerability
• Steps to reproduce
• Impact assessment
• Suggested fix (if you have one)

We'll acknowledge receipt within 48 hours and aim to release a fix within 7 days for critical issues.

We're interested in vulnerabilities in:

• cortex-engine — especially around data persistence, authentication, and MCP tool execution
• reflex — safety hook bypasses, enforcement circumvention
• Plugins — injection via observation content, unsafe eval, path traversal
• Infrastructure — anything related to the Cloud Run service or API endpoints

Out of scope:

• Vulnerabilities in dependencies (report upstream, but let us know)
• Social engineering
• Denial of service via rate limiting (we're aware, working on it)

We'll credit security researchers in the release notes (unless you prefer to remain anonymous). We don't currently have a paid bounty program, but significant findings will be recognized.