If you discover a security vulnerability in Orion Dock, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

1. Email: Send a detailed report to the repository owner via GitHub private vulnerability reporting (Settings > Security > Advisories > "Report a vulnerability").
2. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours of your report.
• Assessment: We will evaluate the severity and impact within 7 days.
• Fix timeline: Critical vulnerabilities will be patched as soon as possible. Non-critical issues will be addressed in the next scheduled release.
• Disclosure: We will coordinate disclosure timing with you. We ask that you do not publicly disclose the vulnerability until a fix is available.

The following are in scope for security reports:

• Orion Dock (Rust API, React frontend, Docker-first; no desktop installers)
• Ed25519 signature verification and key management
• DPAPI secrets handling (Windows)
• Skill sandbox escape or permission bypass
• Local LLM endpoint SSRF or injection

• Vulnerabilities in third-party dependencies (report these upstream)
• Social engineering
• Denial of service on local-only interfaces

• All constitutional documents are signed with Ed25519 and verified at every boot
• Secrets are encrypted via Windows DPAPI (user scope) and never stored in plaintext
• Skills run in a permission-checked sandbox with declared manifests
• Local LLM URLs are validated to prevent SSRF (localhost/loopback only)
• GitHub Actions use pinned commit SHAs to prevent supply chain attacks
• Run cargo audit and npm audit locally or in CI when enabled; see CONTRIBUTING for current automation status