If you discover a security vulnerability in EVM Cortex, please report it responsibly.

Do NOT open a public issue for security vulnerabilities.

1. Open a private security advisory on GitHub
2. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Assessment: Within 7 days
• Fix: Depending on severity, within 7-30 days
• Disclosure: After the fix is released

The following are in scope:

• Hook code execution (TypeScript hooks in hooks/src/)
• install.sh script security
• Agent prompt injection vulnerabilities
• Credential/secret exposure in any files
• Solidity code examples that contain security anti-patterns

The following are out of scope:

• Issues in Claude Code itself (report to Anthropic)
• Social engineering attacks
• Denial of service

• Never commit secrets, API keys, private keys, or credentials
• All hooks run in the user's shell context — be careful with Bash tool calls
• Agent prompts should not instruct bypassing security controls
• Review install.sh changes carefully — it runs with user privileges
• Solidity examples must follow checks-effects-interactions pattern
• Never include real private keys or mnemonics in examples

We appreciate security researchers who help keep EVM Cortex safe. Responsible reporters will be credited here (with permission).