| Version | Supported |
|---|---|
| 1.x | Yes |
| < 1.0 | No |
We take security issues in Canon seriously. We appreciate your efforts to disclose your findings responsibly.
Please report security issues by emailing: security@warforge.tech
Include the following information:
- Description of the issue
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Resolution Timeline: Depends on severity, typically 30-90 days
- Give us reasonable time to address the issue before public disclosure
- Make a good faith effort to avoid privacy violations and data destruction
- Do not access or modify other users' data
Canon is designed with security as a core principle:
- Capability-based access control: All effects require explicit capabilities
- Policy enforcement: OPA/Rego policies gate all operations
- No ambient authority: Code cannot access resources without explicit grants
- Audit trails: AI provenance tracking for all generated code
This security policy applies to:
- The Canon CLI tool
- The Canon runtime
- Official Canon examples and documentation
Third-party integrations and user-generated Canon programs are outside this scope.