If you discover a security vulnerability in this repository or in any CPS product governed by this framework, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
- GitHub Security Advisories — use the private vulnerability reporting feature on this repository.
- Email — contact the repository owner directly (see GitHub profile).
- Description of the vulnerability and its potential impact
- Steps to reproduce or proof of concept
- Affected files, schemas, or governance artifacts
- Whether the vulnerability could affect safety functions (SF-n), safety constraints (SC-n), or safety-security interactions (SSI-n)
| Action | Target |
|---|---|
| Acknowledgement | 48 hours |
| Initial triage | 48 hours |
| Status update | Every 2 weeks until resolution |
This policy covers:
- The governance framework content in this repository (policies, registers, schemas, templates)
- Validation scripts and CI/CD workflows
- Any CPS product security issues should follow the product-specific coordinated vulnerability disclosure (CVD) policy per POL-CPS-04
For the complete vulnerability disclosure and handling policy — including ENISA reporting obligations under the Cyber Resilience Act, safety-critical patch handling, and customer notification procedures — see POL-CPS-04 — Vulnerability Disclosure and Handling.
This repository follows a trunk-based model. Only the main branch represents the approved, current state of CPS governance. Security fixes are applied to main directly via merge requests.