Security
Reporting Vulnerabilities¶
At ctx we take security very seriously.
If you discover a security vulnerability in ctx, please report it responsibly.
Do NOT open a public issue for security vulnerabilities.
Email¶
Send details to security@ctx.ist
GitHub Private Reporting¶
- Go to the Security tab
- Click "Report a vulnerability"
- Provide a detailed description
What to Include¶
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Response Timeline¶
| Stage | Timeframe |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 7 days |
| Resolution target | Within 30 days (depending on severity) |
Security Design¶
ctx is designed with security in mind:
- No secrets in context: The constitution explicitly forbids storing
secrets, tokens, API keys, or credentials in
.context/files - Local only: ctx runs entirely locally with no external network calls
- No code execution: ctx reads and writes Markdown files only; it does not execute arbitrary code
- Git-tracked: Core context files are meant to be committed, so they should
never contain sensitive data. Exception:
sessions/andjournal/contain raw conversation data and should be gitignored
Best Practices¶
- Review before committing: Always review
.context/files before committing - Use .gitignore: If you must store sensitive notes locally,
add them to
.gitignore - Drift detection: Run
ctx driftto check for potential issues
Attribution¶
We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities (unless they prefer to remain anonymous).