| Version | Supported |
|---|---|
| 0.1.x | ✅ |
If you discover a security vulnerability in Conative Gating, please report it responsibly:
- Email: [email protected]
- Subject:
[SECURITY] conative-gating: Brief description - Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any suggested fixes (optional)
- Initial acknowledgment: Within 48 hours
- Triage and assessment: Within 7 days
- Fix or mitigation: Depends on severity
- Critical: Within 7 days
- High: Within 30 days
- Medium/Low: Next release cycle
- We will acknowledge receipt of your report
- We will investigate and keep you informed of progress
- We will credit you in the security advisory (unless you prefer anonymity)
- We will not take legal action against good-faith security researchers
The Policy Oracle performs deterministic rule checking:
- File extension and content marker detection
- Pattern matching for forbidden content (secrets, banned languages)
- No external network calls during evaluation
Future SLM integration will:
- Run locally using llama.cpp (no external API calls)
- Use quantized models for reduced attack surface
- Implement input sanitization before inference
The Elixir arbiter will:
- Use supervision trees for fault tolerance
- Implement rate limiting to prevent DoS
- Log all decisions for audit purposes
When deploying Conative Gating:
- Run with minimal privileges
- Use read-only access to scanned directories where possible
- Validate all external inputs (proposal JSON schemas)
- Review audit logs regularly