Thanks for helping keep ShieldCortex — and the projects that depend on it — safe.
Email: security@drakonsystems.com
Please do not open a public GitHub issue for security vulnerabilities. For non-security bugs, file an issue as normal.
A PGP key fingerprint is published at https://shieldcortex.ai/.well-known/security.txt. Request the full key by reply if you'd like to encrypt the report.
| Stage | Target |
|---|---|
| Initial acknowledgement | Within 48 hours |
| Triage + severity assignment | Within 5 business days |
| Critical/High fix or mitigation | Within 30 days of triage |
| Medium/Low fix | Next scheduled release |
| Public disclosure coordination | After fix shipped; default 90-day max embargo |
These are commitments by Drakon Systems Ltd, not contractual SLAs. We will tell you immediately if a target will slip.
We support the latest two major versions of the shieldcortex npm package. Older majors receive security fixes only at maintainer discretion.
| Version | Status |
|---|---|
| 4.x | ✅ Supported |
| 3.x | |
| ≤ 2.x | ❌ End of life |
- The published
shieldcortexnpm package (latest two majors) - The bundled local dashboard server (port 3838)
- The SaaS API at
api.shieldcortex.ai - The dedicated OpenClaw plugin
@drakon-systems/shieldcortex-realtime - Defence pipeline correctness issues (false negatives on documented attack classes)
- Credential leak, prompt-injection, and memory-poisoning bypasses against documented detection layers
- Findings that require a malicious local user already on the host (the package is designed to run on the user's own machine)
- Denial of service against your own local
memories.db - Self-XSS in the local dashboard requiring console paste
- Vulnerabilities in
better-sqlite3,@anthropic-ai/sdk, Node.js, Fly.io, or other upstream software — please report those upstream - Spam, social engineering of staff, physical attacks
- Issues against pre-release branches or unsupported old versions
If you act in good faith — staying within the scope above, avoiding privacy violations and service disruption, and giving us reasonable time to remediate before public disclosure — we will not initiate legal action against you. Testing is authorised only against your own machine, your own ShieldCortex Cloud account, or a designated test account you have created.
Full vulnerability disclosure policy, compliance roadmap, and engineering posture: https://shieldcortex.ai/security
Drakon Systems Ltd · Company number 16867343 · 34 Lumina Way, Enfield, England, EN1 1FS