Documentation Index
Fetch the complete documentation index at: https://ocx.kdco.dev/docs/llms.txt
Use this file to discover all available pages before exploring further.
Overview
OCX takes security seriously. This page covers the vulnerability disclosure process, response timeline, and the scope of security coverage.Vulnerability Disclosure
If you believe you have found a security vulnerability in OCX, please report it responsibly. Contact: ocx-security@alias.kdco.llcDisclosure Policy
- Response Time: Reports are acknowledged within 48 hours.
- Resolution: A resolution or public disclosure is provided within 90 days of the initial report.
- Coordinated Disclosure: Do not disclose the vulnerability publicly until OCX maintainers have had a chance to address it.
Security Scope
In Scope
- Vulnerabilities in the OCX CLI tool.
- Issues with the integrity verification mechanism.
- Flaws in the registry resolution logic.
Out of Scope
- Vulnerabilities in third-party extensions/agents themselves (report these to their respective maintainers).
- Compromise of the local machine where OCX is running.
- Social engineering attacks.
See Also
- Security Verification — How SHA-256 integrity verification works.
- Enterprise Overview — Registry locking and audit features.
- Profile Security — Controlling what OpenCode sees in untrusted repositories.