Microcosm
This page

Reference

Vulnerability disclosure

Use this page to report a vulnerability or security issue in the public Microcosm website or the standalone public repository.

Scope

In scope: this static website, its same-origin files, the public Microcosm repository or export, claims about what is and is not published, and public fixture or evidence leakage. Reports are most useful when they name the page, file, command, evidence id, or source path involved.

Out of scope: the private working environment behind Microcosm, provider accounts, browser sessions, personal devices, third-party platforms, social engineering, denial-of-service testing, account-secret guessing, and any test that accesses data you do not own.

How to report

Preferred private reporting channel: use GitHub's Report a vulnerability flow on the Microcosm repository's Security Advisories page.

The record docs/dissemination/microcosm_github_private_vulnerability_reporting_receipt_v0.json is the proof that GitHub Private Vulnerability Reporting is enabled for the public repository. If the GitHub button is not visible, do not open a public issue for vulnerability details.

Include the affected URL or source path, command or evidence id if relevant, a short redacted description, expected versus observed boundary, and whether the report appears to be a leak, a claim that overstates what is published, hosted-header drift, CI or supply-chain issue, or unsafe exploit-content issue.

Do not paste suspected secrets, non-public account data, private payloads, raw prompts, model payload bodies, session values, or exploit-sensitive details into public channels. No separate security email address is published on this page; use the private GitHub report flow.

Expectations

Coordinated disclosure is preferred. Good-faith reports should stay inside the public repository boundary and should not attempt to reach private systems, provider accounts, browser sessions, personal devices, or third-party systems. There is no bug bounty because I cannot currently fund one on a student budget.

Boundaries

The security.txt file and this page identify a public policy route, not permission for intrusive testing. Do not run destructive, high-volume, automated, or account-targeting tests. Do not attempt to reach private systems or data. Public release and safety statements stay limited to the generated static files and the checks that have actually run against them; there is no backend service behind the site to probe.

Microcosm is a research prototype with a static public site and a private way to report issues. It is not a production security product, a hosted agent service, a bug-bounty program, or a claim of real-world exploit resistance.

Source & license Open on GitHub →