A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: mailto:security@usecosmos.com
Preferred-Languages: en
Canonical: https://usecosmos.com/.well-known/security.txt

# Vulnerability Disclosure Guidance

## 1. Report the Concern
If you have any security concerns or would like to report undisclosed security vulnerabilities in our products or services, please email us at [security@usecosmos.com](https://usecosmos.com/.well-known/mailto:security@usecosmos.com).  
Note: We do not accept non-security bug reports at this address.

Before reaching out, you may check [https://status.usecosmos.com](https://status.usecosmos.com) to see if the issue is already known. That page also provides an option to report an incident or problem directly.

## 2. Include Details
Please provide as much information as possible, including:
- Summary of the vulnerability
- Affected URLs or components
- Type of weakness (e.g., SQL injection, XSS)
- Tools or environment used
- Steps to reproduce or proof-of-concept
- Estimated severity (e.g., low, medium, high, or CVSS score)
- Plans for public disclosure (if any)

We recommend submitting one plain-text email per vulnerability where possible.

## 3. Vulnerabilities in Third-Party Code
We incorporate open-source and third-party software. If the issue affects an external project, please also notify its maintainers per their disclosure process.

## 4. Use Common Sense
Please act in good faith and avoid privacy violations or disruptions during testing. We commit to reviewing all valid reports confidentially and respectfully.