The Security Controls Catalog is primarily structured data and documentation, but we take the integrity of this repository and any associated tooling seriously.

Please report security issues privately, not as a public issue, using either channel:

• GitHub Private Vulnerability Reporting (preferred for this repository): go to the Security tab → Report a vulnerability. This opens a private advisory visible only to you and the maintainers.
• Email: security@cloudsecurityalliance.org

Please include enough detail to reproduce or assess the issue. We will acknowledge your report, investigate, and keep you informed of the resolution. Please give us reasonable time to address the issue before any public disclosure.

This follows CSA's security policy: https://cloudsecurityalliance.org/security.

Errors in catalog content or mappings (a wrong mapping, an inaccurate control description) are not security vulnerabilities — please raise those as normal issues or pull requests so the working group can review them.