Vulnerability Reporting

If you discover a security vulnerability in Omnodex, please report it responsibly. Do not open a public GitHub issue for security vulnerabilities.

How to report

Email security@omnodex.com with:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Affected versions, if known
• Any suggested fix, if you have one

We will acknowledge your report within 5 business days and work with you to understand and address the issue. We aim to provide a fix or mitigation plan within 30 days of confirmation, depending on complexity.

What qualifies

We are interested in vulnerabilities in the Omnodex software itself, including:

• Event log tampering or integrity bypass
• Rule engine bypass (risk events that should fire but don’t)
• Credential or sensitive data leakage through Omnodex’s own operation
• Interceptor vulnerabilities that could affect the host agent’s execution
• Encryption weaknesses in the sync encryptor or key derivation
• Authentication or authorization issues in cloud API interactions

Out of scope

• Vulnerabilities in upstream dependencies (report those to the dependency maintainer; let us know if Omnodex is affected so we can update)
• Issues in AI agents that Omnodex monitors (those are the agent platform’s responsibility)
• Social engineering or phishing attacks against Omnodex team members
• Denial of service via resource exhaustion against local CLI tools

Coordinated disclosure

We follow coordinated disclosure. We ask that you give us reasonable time to address the issue before making it public. We will credit reporters in the fix announcement unless you prefer to remain anonymous.

Supported versions

During the current pre-1.0 development phase, security fixes are applied to the latest release only. We do not backport fixes to older versions at this time.

Full security policy

See omnodex.com/security for the complete security policy, including Omnodex’s security design principles.