cimt-kernel is a reference implementation of a certification calculus. It is not a production security boundary, real-world safety certificate, incident-response system, sandbox, policy engine, or deployment governance system.

For vulnerabilities in the reference code, open a public issue only when the report does not include secrets, private data, exploit payloads against third parties, or confidential system details. If private disclosure is needed, use the maintainer contact path configured by the repository owner.

Do not include credentials, tokens, keys, private logs, model prompts containing private data, proprietary datasets, or environment files in reports.

• Tests and examples do not call live LLM APIs, live benchmarks, or external services.
• The CLI is a local developer tool, not a network service.
• Example certificates use synthetic commitments and receipts.
• Runtime conformance, receipt retention, sandboxing, and provider drift monitoring are represented as evidence objects, not implemented controls.

Useful reports include cases where the kernel:

• treats missing evidence as success;
• allows candidate-defined target success to promote a claim;
• accepts zero observed events as exact zero;
• lets target-channel wins repair missing receipts, conformance, scope closure, or model-policy evidence;
• accepts malformed portable JSON in a way that changes the decision;
• leaks local paths or secret-like data through examples, docs, or deterministic CLI error payloads.

Reports about real-world model behavior, live benchmark performance, or deployment safety are outside this repository unless they identify a concrete bug in the reference kernel or documentation.