The TCASVS leaders and community take all security bugs seriously. We appreciate your efforts to disclose issues responsibly and will make every effort to acknowledge your contributions.
Email Dave.hanson@owasp.org with the following information:
- Your name and affiliation (optional but appreciated)
- Description of the vulnerability
- Steps to reproduce the issue
- Current public knowledge of this vulnerability (e.g. related CVE, security advisory, etc.)
- Acknowledgement: within 3 business days of receiving your report
- Assessment: we will confirm whether the finding is accepted or declined within 7 business days
- Patch: if accepted, we aim to publish a fix within 14 business days
This policy covers the TCASVS standard content, build tooling, and CI/CD pipelines in this repository. For vulnerabilities in the OWASP website infrastructure itself, please report to the OWASP Foundation.