Source of Truth: This document defines the supported versions and vulnerability reporting process.

Last Updated: February 10, 2026

We are aligning the T81 Foundation stack with NIST SP 800-218 (SSDF) and NIST SP 800-53 controls. This is critical for maintaining a high-assurance, auditable AI infrastructure.

Our core security postures include:

• Deterministic Execution: Bit-exact reproducibility enforcing strict supply-chain and execution trace verification.
• Opcode-Level Policy Enforcement: The Axion kernel enforces security and alignment policies directly at the VM instruction level.
• Signed Releases & SBOM: Release artifacts are cryptographically signed and accompanied by Software Bill of Materials (SBOM) for complete supply-chain provenance.
• Formal Threat Model: A robust, continually updated threat model (docs/governance/DETERMINISM_THREAT_MODEL.md) paired with a Coordinated Vulnerability Disclosure (CVD) policy.

We support the current MAJOR version and the immediate previous MAJOR version for critical security fixes.

Please report vulnerabilities privately through GitHub Security Advisories.

If advisory reporting is unavailable, open a private maintainer contact with:

• affected component/path,
• impact summary,
• minimal reproduction,
• suggested remediation (if known).

Do not publish exploit details in public issues before a fix is available.

Security-relevant areas include:

• VM execution and memory safety boundaries,
• Axion policy enforcement surfaces,
• CanonFS persistence and trace integrity,
• CLI/runtime artifact handling,
• workflow/CI supply-chain integrity.

• Initial triage acknowledgment: best effort within 72 hours.
• Severity assessment and mitigation plan: as quickly as practical based on impact.
• Coordinated disclosure after fix availability.

• Provide deterministic reproduction steps where possible.
• Avoid including secrets in reports.
• If the issue affects reproducibility or contract integrity, include expected vs actual deterministic outputs.