Skip to content

Vulnerability Disclosure

Huzefaaa2 edited this page May 18, 2026 · 1 revision

Vulnerability Disclosure

CAVRA is security-sensitive infrastructure for AI-assisted software delivery. Vulnerability handling must protect reporters, customers, release artifacts, and audit evidence.

Scope

In scope:

  • policy bypasses or inconsistent policy decisions;
  • evidence bundle tampering, weak signature handling, or checksum gaps;
  • approval routing, RBAC, OIDC, or break-glass authorization failures;
  • repository, MCP, SIEM, ITSM, or ChatOps connector secret exposure;
  • API or console privilege escalation;
  • Go runtime release package integrity failures;
  • unsafe defaults that weaken enterprise branch protection or required checks.

Reporter Workflow

  1. Report privately through GitHub private vulnerability reporting when enabled.
  2. Include affected version, commit, workflow run, release asset, or evidence bundle.
  3. Include reproduction steps and expected impact.
  4. Include checksums, signatures, provenance, logs, or policy packs when relevant.
  5. Avoid public disclosure until a fix, advisory, and release verification path are available.

Maintainer Workflow

  1. Acknowledge high and critical reports within two business days.
  2. Assign severity from the CAVRA triage model in SECURITY.md.
  3. Create a private fix branch or tightly scoped maintainer branch.
  4. Add regression tests that fail before the fix.
  5. Update documentation, release evidence, and affected diagrams when behavior changes.
  6. Publish a GitHub Security Advisory or release advisory note after remediation.

Enterprise Value

This workflow gives CISOs and procurement teams a clear path for reporting security issues without exposing exploit details in public issues. It also connects remediation to CAVRA release evidence, which matters for regulated SDLC adoption.

Clone this wiki locally