Overview
OCX takes security seriously. This page covers the vulnerability disclosure process, response timeline, and the scope of security coverage.Vulnerability Disclosure
If you believe you have found a security vulnerability in OCX, please report it responsibly. Contact: ocx-security@alias.kdco.llcDisclosure Policy
- Response Time: Reports are acknowledged within 48 hours.
- Resolution: A resolution or public disclosure is provided within 90 days of the initial report.
- Coordinated Disclosure: Do not disclose the vulnerability publicly until OCX maintainers have had a chance to address it.
Security Scope
In Scope
- Vulnerabilities in the OCX CLI tool.
- Issues with the integrity verification mechanism.
- Flaws in the registry resolution logic.
Out of Scope
- Vulnerabilities in third-party extensions/agents themselves (report these to their respective maintainers).
- Compromise of the local machine where OCX is running.
- Social engineering attacks.
See Also
- Security Verification — How SHA-256 integrity verification works.
- Enterprise Overview — Registry locking and audit features.
- Profile Security — Controlling what OpenCode sees in untrusted repositories.