If you discover a security vulnerability in one of the code examples (incorrect secure implementation, missing defense, etc.), please:

1. DO NOT open a public GitHub issue
2. Email security findings to: scott@perfecxion.ai
3. Include:
   • Example ID and file name
   • Description of the security issue
   • Proposed fix or improvement

Response time: We aim to acknowledge reports within 48 hours and provide a fix timeline within 1 week.

For vulnerabilities in the validation scripts, generation tools, or project infrastructure:

1. Open a private security advisory on GitHub
2. Or email: scott@perfecxion.ai with subject "Security: Tooling Vulnerability"

YES - Please report:

• Incorrect secure code implementations that are still vulnerable
• Missing security controls in "secure" examples
• Citations linking to compromised or malicious sources
• Code execution vulnerabilities in validation scripts
• Injection vulnerabilities in generation tooling

NO - Use regular GitHub issues:

• Syntax errors in code blocks
• Missing examples for specific attack types
• Documentation improvements
• Feature requests for new categories

We practice coordinated vulnerability disclosure:

1. Report → Security team acknowledgment (48 hours)
2. Investigation → Root cause analysis (1 week)
3. Fix → Patch development and testing (2 weeks)
4. Disclosure → Public disclosure after fix is released

⚠️ WARNING: These examples contain intentionally vulnerable code for educational purposes.

DO:

• ✅ Use in isolated training environments
• ✅ Clearly label vulnerable vs secure implementations
• ✅ Validate secure examples before production use
• ✅ Test all security controls in your own environment

DO NOT:

• ❌ Deploy vulnerable code to production
• ❌ Use attack examples for malicious purposes
• ❌ Assume secure examples are production-ready without testing
• ❌ Train models on vulnerable code without safety filters

Security review checklist:

• Vulnerable code is clearly labeled as VULNERABLE/INSECURE
• Secure code includes comprehensive defense-in-depth
• Real-world incidents are accurately cited
• Attack vectors are grounded in T1-T3 sources
• No sensitive credentials or real infrastructure details
• Exploitation code is educational, not weaponized

We appreciate responsible disclosure from the security community. Contributors will be acknowledged in:

• Security advisories (with permission)
• Release notes for fixes
• Special thanks in dataset documentation

Hall of Fame: (Coming soon - first vulnerability reporter!)

Security Team: scott@perfecxion.ai PGP Key: (Available on request) Response SLA: 48 hours acknowledgment, 1 week investigation

Last Updated: 2026-01-26 Version: 1.0