We take the security of Cortex Attack seriously. If you discover a security vulnerability, please follow responsible disclosure:

DO NOT open a public GitHub issue for security vulnerabilities.

1. Email: Send a detailed report to the maintainers via GitHub Security Advisories.
2. Include:
   • A description of the vulnerability
   • Steps to reproduce
   • Potential impact assessment
   • Any proof-of-concept code (if applicable)

• Acknowledgement: Within 48 hours of your report
• Status Update: Within 7 days with an initial assessment
• Resolution: We aim to resolve critical issues within 30 days

The following are in scope for security reports:

• Remote code execution vulnerabilities
• Privilege escalation
• Credential/secret exposure
• Dependency vulnerabilities with active exploits

The following are out of scope:

• Denial of service attacks on local deployments
• Issues requiring physical access to the machine
• Social engineering attacks

Responsible disclosures will be credited in our release notes unless you prefer to remain anonymous.