-
Notifications
You must be signed in to change notification settings - Fork 0
Vulnerability Disclosure
Huzefaaa2 edited this page May 18, 2026
·
1 revision
CAVRA is security-sensitive infrastructure for AI-assisted software delivery. Vulnerability handling must protect reporters, customers, release artifacts, and audit evidence.
In scope:
- policy bypasses or inconsistent policy decisions;
- evidence bundle tampering, weak signature handling, or checksum gaps;
- approval routing, RBAC, OIDC, or break-glass authorization failures;
- repository, MCP, SIEM, ITSM, or ChatOps connector secret exposure;
- API or console privilege escalation;
- Go runtime release package integrity failures;
- unsafe defaults that weaken enterprise branch protection or required checks.
- Report privately through GitHub private vulnerability reporting when enabled.
- Include affected version, commit, workflow run, release asset, or evidence bundle.
- Include reproduction steps and expected impact.
- Include checksums, signatures, provenance, logs, or policy packs when relevant.
- Avoid public disclosure until a fix, advisory, and release verification path are available.
- Acknowledge high and critical reports within two business days.
- Assign severity from the CAVRA triage model in
SECURITY.md. - Create a private fix branch or tightly scoped maintainer branch.
- Add regression tests that fail before the fix.
- Update documentation, release evidence, and affected diagrams when behavior changes.
- Publish a GitHub Security Advisory or release advisory note after remediation.
This workflow gives CISOs and procurement teams a clear path for reporting security issues without exposing exploit details in public issues. It also connects remediation to CAVRA release evidence, which matters for regulated SDLC adoption.
CAVRA Field Compass
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
Textbook home: Before the Agent Acts |
Development archive: development and testing artifacts |
Source repository: github.com/Huzefaaa2/cavra
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Technology Stack
- Conclusion