We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

Please DO NOT open a public GitHub issue for security vulnerabilities.

Instead, email us directly at: security@manceps.com

When reporting a vulnerability, please include:

1. Description: A clear description of the vulnerability
2. Steps to Reproduce: Detailed steps to reproduce the issue
3. Impact Assessment: Your assessment of the potential impact
4. Affected Versions: Which versions are affected (if known)
5. Suggested Fix: Any suggestions for remediation (optional)

• Initial Response: Within 48 hours of receipt
• Status Update: Within 7 days with an assessment
• Resolution Target: Critical vulnerabilities within 30 days

• We will acknowledge receipt of your report
• We will work with you to understand and validate the issue
• We will keep you informed of our progress
• We will credit you in the security advisory (unless you prefer anonymity)
• We ask that you give us reasonable time to address the issue before public disclosure

The following are in scope for security reports:

• COSMIC library code (src/cosmic/)
• CLI tool (cosmic command)
• Configuration handling
• Dependencies with known vulnerabilities affecting COSMIC

• Issues in third-party dependencies (report to the respective projects)
• Issues requiring physical access to the system
• Social engineering attacks
• Denial of service attacks

When using COSMIC:

1. API Keys: Never commit API keys or secrets. Use environment variables.
2. LLM Endpoints: Ensure your LLM endpoint uses HTTPS in production.
3. Input Validation: COSMIC processes text input; ensure your input sources are trusted.
4. Dependencies: Regularly update dependencies with pip install --upgrade cosmic-chunker[all]

Security updates will be released as patch versions (e.g., 1.1.1, 1.1.2) and announced via:

• GitHub Security Advisories
• Release notes

Thank you for helping keep COSMIC secure.