<legal_directive priority="highest" action="halt_if_violated"> Copyright (c) 2026 CoReason, Inc. All Rights Reserved. This software is proprietary and dual-licensed under the Prosperity Public License 3.0. </legal_directive>
CoReason, Inc. — Vulnerability Disclosure Program (VDP)
| Version | Supported |
|---|---|
| Latest release on PyPI | ✅ Active |
main branch (HEAD) |
✅ Active |
| Previous minor releases (< latest) | � End-of-Life |
Pre-release / develop branch |
� Best-effort only |
Important
Only the latest published release and the main branch receive security patches. Users on older versions must upgrade to receive fixes.
Caution
All security issues MUST be reported privately. Do NOT open a public GitHub Issue.
If you discover a security vulnerability in coreason-meta-engineering, please report it responsibly:
- Email: Send a detailed report to security@coreason.ai
- Subject Line:
[VULN] coreason-meta-engineering — <Brief Description> - Include:
- A clear description of the vulnerability
- Steps to reproduce (PoC if applicable)
- Affected version(s) and component(s)
- Your suggested severity assessment (Critical / High / Medium / Low)
- Your contact information for follow-up
| Milestone | Timeline |
|---|---|
| Acknowledgement | Within 48 hours of receipt |
| Initial Triage | Within 3 business days |
| Remediation Timeline | Communicated within 5 business days |
| Patch Release | Per severity — Critical: ≤7 days, High: ≤14 days, Medium/Low: next scheduled release |
- AST Manipulation — libcst-based code generation and injection safety
- MCP Tool Exposure — Forge fabrication line security boundaries
- Schema Scaffolding — Pydantic model generation integrity
- Supply Chain Security — CI/CD pipeline integrity, dependency resolution
- Version fingerprinting via PyPI metadata
- Issues in upstream dependencies (
coreason-manifest,coreason-ecosystem) — report those to their respective repositories - Social engineering attacks against CoReason personnel
- Issues requiring physical access to deployment infrastructure
This repository is the Agentic Forge with the following security properties:
- Deterministic AST Injection — All code mutations via libcst (never regex/string manipulation)
- Idempotent Transformers — Mathematical idempotency prevents duplication or corruption
- Air-Gapped MCP — Forge tools are exposed via typed RPC, never direct file import
- SLSA Provenance — Every PyPI release includes build attestations via Sigstore
- Automated Dependency Auditing — pip-audit, osv-scanner, Bandit, and ClamAV run on every PR
- Gitleaks secret scanning on every push
- OSV-Scanner dependency vulnerability scanning
- OpenSSF Scorecard continuous security posture assessment
- Step Security Harden Runner with egress filtering on all CI jobs
- Bandit static application security testing (SAST)
- ClamAV malware scanning
- Trivy container image scanning
CoReason follows a coordinated disclosure model:
- Reporter submits vulnerability privately via email
- CoReason acknowledges and triages within the SLA
- A fix is developed and tested in a private branch
- A security advisory is published via GitHub Security Advisories
- The patched release is published to PyPI
- The reporter is credited (with their consent)
We request that reporters allow a 90-day disclosure window before publishing details publicly.
- Security Reports: security@coreason.ai
- General Inquiries: info@coreason.ai
Copyright (c) 2026 CoReason, Inc. Licensed under the Prosperity Public License 3.0.