STATUS: NON-CANON ROLE: SECURITY / VULNERABILITY DISCLOSURE SCOPE: Reporting and disclosure metadata. Not part of canonical law.

This file is non-canonical metadata describing how to report security vulnerabilities affecting this repository.

• To report a vulnerability, contact: corexalt@proton.me
• Please include:
  • Affected version (release tag or commit SHA).
  • Reproduction steps, ideally with a minimal proof-of-concept.
  • Assessed impact and any known mitigations.
• We will acknowledge receipt within 5 business days.

We follow a coordinated disclosure model:

• Default disclosure window: 90 days from acknowledgement.
• Extendable by mutual agreement for complex issues that require upstream coordination (Rust crates, Linux kernel, HSM vendors, etc.).
• Public disclosure prior to remediation is discouraged unless safety considerations require otherwise.

Canonical execution membrane specifications (specs/) and reference Rust runner (noncanon/). Reports concerning specification ambiguity, runner divergence from specs, or membrane bypass are in scope.

Vulnerabilities in third-party dependencies declared in this repository's manifests are also welcome; we will coordinate upstream where applicable.

• Issues already disclosed publicly without coordination.
• Social engineering of maintainers.
• Denial-of-service against public test infrastructure.
• Findings that violate applicable law or this project's NOTICE / LICENSE terms (e.g., unauthorized access to non-public infrastructure).

This Work is the property of Technologies CoreXalt Inc. (Québec, Canada); see the repository's NOTICE file for full provenance and attribution (SYF Core Foundation stewardship 2025 → CoreXalt assignment 2026).

This document is non-canonical informational metadata. It does not modify license, contract, or warranty terms.