Security Policy
How to report security issues responsibly.
Report a Vulnerability
Email admin@cordum.io with a clear description, impact assessment, and steps to reproduce. Do not open a public issue for security reports.
What to Include in Your Report
- Description of the vulnerability and affected component
- Steps to reproduce, including any proof-of-concept code
- Impact assessment (what an attacker could achieve)
- Your contact information for follow-up (optional but appreciated)
Response Timeline
Acknowledgement
Within 2 business days
Triage and assessment
Within 5 business days
Status updates
At least every 10 business days until resolution
- cordum.io website and subdomains
- Cordum control plane source code
- Public APIs and endpoints we operate
- CLI tooling and published packages
- Denial of service or load testing
- Social engineering or phishing
- Third-party services we do not control
- Issues already reported and under active triage
Coordinated Disclosure
We ask that you give us reasonable time to investigate and address the issue before any public disclosure. We target a 90-day disclosure window from the initial report. We will coordinate with you on timing and credit before any public advisory is issued.
Safe Harbor
We consider security research conducted in good faith and in compliance with this policy to be authorized. We will not pursue legal action against researchers who discover and report vulnerabilities responsibly, act in good faith, avoid accessing or modifying other users' data, and do not disrupt production services.
Last updated: February 2026