For vulnerabilities in @pmatrix/core-sdk, please report to:
- Email: security@p-matrix.io
- GitHub Security Advisory: https://github.com/p-matrix/core-sdk/security/advisories/new
Do not open public issues for security vulnerabilities.
This SDK is the cross-vendor neutral foundation for all P-MATRIX Agent Host-Integration Adapters. Vulnerabilities of particular concern:
- Cryptographic primitives —
provenance.signature(HMAC-SHA256) key handling, request signing. - Schema validation bypass — zod schema circumvention that allows schema-non-conformant events through.
- Content-agnostic invariant violation — any code path that leaks prompt or response content through transport layer.
- vendor_extensions consumption — engine MUST NOT consume
vendor_extensionsfor judgment; vulnerabilities that allow such consumption are critical.
- Acknowledgment: within 72 hours
- Initial assessment: within 7 days
- Coordinated disclosure: timing negotiated with reporter
Pre-1.0 phase: only the latest minor version receives security patches. Once stable (post-1.0), the policy will expand to last 2 major versions.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |