CX Terminal is currently in active development. Security updates are provided for the following versions:

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please email: security@cxlinux.ai

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

Security concerns for CX Terminal include:

• AI Command Execution — Sandboxing and validation of AI-generated commands
• IPC Security — Unix socket communication with cx-daemon
• Credential Handling — API keys, SSH keys, secrets in terminal sessions
• Local Data — SQLite history database, ML models, configuration files
• Network Security — LLM API communications, update mechanisms

• Vulnerabilities in upstream WezTerm (report to WezTerm)
• Social engineering attacks
• Physical access attacks
• Denial of service via resource exhaustion

We gratefully acknowledge security researchers who report vulnerabilities responsibly. With your permission, we will:

• Credit you in the security advisory
• Add you to our Security Hall of Fame
• Provide bounty consideration for critical findings (post-funding)

We support responsible disclosure. We will not pursue legal action against researchers who:

• Act in good faith
• Avoid privacy violations, data destruction, and service disruption
• Report vulnerabilities promptly
• Allow reasonable time for remediation before disclosure

When using CX Terminal:

1. Review AI commands — Always use dry-run mode for destructive operations
2. Protect API keys — Use environment variables, not hardcoded values
3. Update regularly — Security patches are released as needed
4. Audit logs — Review ~/.cx/history.db periodically
5. Network isolation — Use firewall rules for cx-daemon if exposed

Contact: security@cxlinux.ai
PGP Key: [Coming soon]
Last Updated: January 2026 EOF