If you discover a security vulnerability in any software hosted under the CloudSecurityAlliance GitHub organization, please report it through GitHub's Private Vulnerability Reporting (PVR):

1. Go to the Security tab of the affected repository
2. Click "Report a vulnerability"
3. Fill out the form with details about the vulnerability

GitHub accounts are free. This is the method for reporting vulnerabilities in public repositories in the CloudSecurityAlliance GitHub organization. For private repositories, see the SECURITY.md within that repository.

We use GitHub's built-in Private Vulnerability Reporting because it provides a standardized, integrated workflow for receiving, triaging, and publishing security advisories. CSA uses the GitHub-recommended security configuration with no customizations applied.

• Description of the vulnerability
• Steps to reproduce
• Affected versions or components (if known)
• Impact assessment (if known)
• Any proof-of-concept code

• CSA will acknowledge and triage your report
• Our default is to publish advisories openly and quickly — we treat public disclosure as the norm, not the exception. Advisories will only remain private temporarily if there is a specific reason to delay
• GitHub automatically credits your GitHub account on the published advisory
• CSA is a nonprofit — we do not offer bug bounties

This policy covers all software and services hosted under the CloudSecurityAlliance GitHub organization.

For security issues related to CSA web properties (e.g., cloudsecurityalliance.org) or other non-GitHub concerns, see CSA's security.txt (RFC 9116).

CSA supports responsible security research. If you act in good faith and follow this policy, CSA will not pursue legal action against you.

For full details on CSA's product security program and policies, see github.com/CloudSecurityAlliance/csa-product-security.