Security

Reporting a vulnerability

Response commitments

These are commitments by Drakon Systems Ltd, not contractual SLAs. We will tell you immediately if a target will slip.

In scope

• The published shieldcortex npm package (latest two major versions)
• The bundled local dashboard server (port 3838)
• The SaaS API at api.shieldcortex.ai (Hono + Drizzle + Postgres on Fly.io)
• The marketing site at shieldcortex.ai (Astro)
• The dedicated OpenClaw plugin @drakon-systems/shieldcortex-realtime
• Defence pipeline correctness issues (e.g. patterns that should fire but don't, false negatives on documented attack classes)
• Credential leak, prompt-injection, and memory-poisoning bypasses against the documented detection layers

Out of scope

• Findings that require a malicious local user already on the host (the package is designed to run on the user's own machine)
• Denial of service against your own local memories.db
• Missing security headers without a demonstrable impact
• Self-XSS in the local dashboard requiring console paste
• Vulnerabilities in better-sqlite3, @anthropic-ai/sdk, Node.js, Fly.io infrastructure, or other third-party software outside Drakon Systems' control — please report those upstream
• Spam, social engineering of staff, physical attacks
• Issues against pre-release branches or unsupported old versions (anything older than the previous major)

Safe-harbour commitment

If you act in good faith — staying within the scope above, avoiding privacy violations and service disruption, and giving us reasonable time to remediate before public disclosure — we will not initiate legal action against you. We extend this protection to:

• Testing against your own machine, your own ShieldCortex Cloud account, or a designated test account you have created
• Authorised testing against teams you own or have written permission to test

We do not authorise testing against the accounts of other ShieldCortex Cloud users.

Engineering posture

• Open source: the npm package and bundled dashboard are MIT-licensed; full source at github.com/Drakon-Systems-Ltd/ShieldCortex
• Reproducible benchmarks: npm run bench regenerates the retrieval scorecard locally; see benchmark/longmemeval/SCORECARD.md
• Defence canary: every shieldcortex doctor run pushes a synthetic injection probe through the firewall and asserts it was blocked (since v4.22.0)
• CI test suite: 1,240+ tests run on every PR; results visible on the public repo
• Transport: TLS 1.2+ enforced on api.shieldcortex.ai and shieldcortex.ai via Fly.io
• Secrets: bcrypt-hashed API keys, single-use 15-minute magic-link tokens, 7-day session tokens, secrets stored in Fly Machines secrets

Compliance roadmap

We publish this honestly rather than claim certifications we do not yet hold.

Enterprise procurement teams that need a specific control: email security@drakonsystems.com and we will respond honestly about feasibility and timeline.

Operating entity

Drakon Systems Ltd
Company number 16867343 (England & Wales)
Registered office: 34 Lumina Way, Enfield, England, EN1 1FS
security@drakonsystems.com