Report all security vulnerabilities privately to:
Do not disclose security issues publicly before coordinated remediation.
This policy applies to all repositories in the TEOS Sovereign Security Stack:
- teos-sovereign-security-stack
- agent-code-risk-mcp
- teos-sentinel-shield
- teoslinker-bot
- teos-activation-service
- teosmcp-ci-example
- safe-ingestion-engine
- teos-civic-mixer
- Teos-International-Civic-Blockchain-Constitution
- No secrets in code — Never commit tokens, keys, webhook secrets, or
.envfiles. - No hardcoded credentials — All secrets must use environment variables or a secrets vault.
- Principle of least privilege — Every component has only the permissions it needs.
- Append-only audit — All security-relevant events are logged immutably.
- Human-in-the-loop — High-impact decisions require human approval per ICBC governance.
| Severity | Response | Remediation |
|---|---|---|
| Critical | < 4 hours | < 24 hours |
| High | < 24 hours | < 72 hours |
| Medium | < 72 hours | < 2 weeks |
| Low | < 1 week | Next release |
We follow coordinated disclosure. Reporters receive credit in our security hall of fame upon request.