Cortex must be deployed with due care over system configuration, using principles such as “least privilege” to limit any exposure due to flaws in the source code.

You must configure authorisation and authentication externally to Cortex; see this guide

Information about security disclosures and mailing lists is in the main repo