Vulnerability Disclosure Policy
Cognium welcomes responsible disclosure of security vulnerabilities in our products and services. We are committed to working with security researchers to verify and address potential vulnerabilities.
Scope
This policy applies to vulnerabilities in:
- Cognium web properties (
cognium.net,cognium.dev,app.cognium.net) - Cognium open-source projects on GitHub
- The Cognium Trust Engine and related APIs
How to Report
Email security reports to: security@cognium.net
Please include:
- Description of the vulnerability
- Steps to reproduce
- Affected component or URL
- Your assessment of severity
- Any proof-of-concept code (if applicable)
What to Expect
- Acknowledgment within 48 hours
- Initial assessment within 5 business days
- Regular updates on remediation progress
- Credit in our security acknowledgments (if desired)
Safe Harbor
We will not pursue legal action against researchers who:
- Act in good faith to avoid privacy violations, data destruction, and service disruption
- Do not access or modify data belonging to other users
- Provide us reasonable time to address the issue before public disclosure
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
Research Disclosure Policy
Cognium publishes security research through our Research program. This section describes how we handle disclosure of findings from our own research.
Category-Only Disclosure
Cognium Advisories (CA-YYYY-NNN) use category-level disclosure. We report aggregate findings, vulnerability patterns, and statistical distributions. We do not:
- Name specific vulnerable skills, packages, or tools
- Identify individual authors or maintainers
- Publish exploit code or detailed reproduction steps for unpatched vulnerabilities
Why Category-Level
Category-level disclosure balances researcher credibility with responsible handling:
- Provides actionable intelligence without enabling exploitation
- Allows affected maintainers time to remediate
- Establishes patterns that help the ecosystem improve
- Maintains Cognium's position as a trusted research voice
Coordinated Disclosure
When Cognium research identifies specific vulnerabilities in third-party software:
- We contact maintainers privately before any public mention
- We provide at least 90 days for remediation (or longer for complex issues)
- We coordinate disclosure timing with affected parties
- We credit maintainers who respond constructively
Contact
For security matters: security@cognium.net
For research inquiries: research@cognium.net
For general inquiries: hello@cognium.net