This is the fallback security policy for repositories in the OpenHandoffProtocol organization. Individual repositories may publish their own SECURITY.md that takes precedence.
Please do not open public issues for suspected security vulnerabilities. Report them privately through either of:
- Email: security@cloud.ax
- GitHub Security Advisories: open a private advisory on the affected repository (e.g. OHP advisories)
Include, where possible:
- Affected repository, branch, commit SHA, and spec / schema version.
- A minimal reproduction (test vector, code snippet, captured envelope).
- Your assessment of impact (confidentiality, integrity, authenticity, privacy).
- Whether you'd like public credit on disclosure.
| Stage | Target |
|---|---|
| Acknowledgement of report | within 3 business days |
| Initial triage and severity classification | within 7 business days |
| Coordinated disclosure window (default) | 90 days |
The window may be shortened (for active exploitation) or extended (with reporter agreement) when warranted.
- The OHP specification, schemas, examples, and conformance test vectors.
- Reference implementations and tooling published in this organization.
Out of scope at this org level: vulnerabilities in third-party implementations of OHP that are not hosted in this organization — please report those directly to their maintainers.