Skip to content

Security: OWASP/TCASVS

Security

SECURITY.md

TCASVS Security Policy

The TCASVS leaders and community take all security bugs seriously. We appreciate your efforts to disclose issues responsibly and will make every effort to acknowledge your contributions.

Reporting Guidelines

Email Dave.hanson@owasp.org with the following information:

  1. Your name and affiliation (optional but appreciated)
  2. Description of the vulnerability
  3. Steps to reproduce the issue
  4. Current public knowledge of this vulnerability (e.g. related CVE, security advisory, etc.)

Response Timeline

  • Acknowledgement: within 3 business days of receiving your report
  • Assessment: we will confirm whether the finding is accepted or declined within 7 business days
  • Patch: if accepted, we aim to publish a fix within 14 business days

Scope

This policy covers the TCASVS standard content, build tooling, and CI/CD pipelines in this repository. For vulnerabilities in the OWASP website infrastructure itself, please report to the OWASP Foundation.

There aren't any published security advisories