🔐 Security Policy for the Concept Exchange Protocol (CEP)
Last Updated: 2025-04-28
Applies To: Specification, Reference Agent, Test Suite
🚨 Reporting a Vulnerability
If you discover a security issue related to CEP:
- Please report it privately and responsibly.
- Email us at:
[email protected]
- Include:
- A detailed description of the issue
- A working proof of concept (if applicable)
- The impacted area (spec, agent, test case, etc.)
We aim to respond within 72 hours and provide a fix or mitigation plan within 14 days for verified issues.
🧰 Supported Versions
| Version |
Security Fixes |
Status |
| v1.0.x |
✅ Yes |
Active |
| pre-v1 |
❌ No |
Legacy |
📜 Scope of Responsibility
We track vulnerabilities related to:
- CEP message validation or replay protection
- Hashing and Merkle proof verification
- Session handling or token abuse
- CLI agent command injection or input validation
🔏 Non-Security Bugs
For general bugs, please open an issue in the GitHub Issues section with a reproducible example.
🔐 Disclosure Process
- You report the issue to
[email protected]
- We confirm receipt and triage the report
- Fixes are developed and tested privately
- A GitHub Security Advisory and optional CVE are published
- You may be credited unless anonymity is requested
🙏 Thank You
We greatly appreciate responsible disclosures that help us keep CEP secure, trustworthy, and machine-verifiable.