Skip to content

Security Policy

Reporting Vulnerabilities

Please DO NOT open a public GitHub issue for security vulnerabilities.

Email us directly at: security@manceps.com

What to Include

  1. Description of the vulnerability
  2. Steps to reproduce
  3. Impact assessment
  4. Affected versions
  5. Suggested fix (optional)

Response Timeline

  • Initial Response: Within 48 hours
  • Status Update: Within 7 days
  • Resolution Target: Critical vulnerabilities within 30 days

Supported Versions

Version Supported
1.1.x Yes
< 1.1 No

Security Best Practices

When using COSMIC:

  1. API Keys: Never commit API keys. Use environment variables.
  2. LLM Endpoints: Use HTTPS in production.
  3. Input Validation: Ensure input sources are trusted.
  4. Dependencies: Keep dependencies updated.

Scope

In scope:

  • COSMIC library code
  • CLI tool
  • Configuration handling
  • Dependencies affecting COSMIC

Out of scope:

  • Third-party dependencies (report to respective projects)
  • Physical access attacks
  • Social engineering

See SECURITY.md for full policy.