This security policy applies to:
- All repositories in the
aiddlcorganisation - The reference portal implementation (aiddlc/reference-portal)
- The aiddlc.ai website
The AIDDLC Standard specification itself (a document) is not a security surface. Security reports for the standard should be submitted as clarification issues if they concern specification text that could lead to insecure implementations. Use the responsible disclosure process below only for software vulnerabilities in the reference portal or website.
Do not open a public GitHub issue for security vulnerabilities. Public disclosure before a fix is available places users of the reference implementation at risk.
Send an email to security@aiddlc.ai with:
- Subject line:
AIDDLC Security: [brief description] - Description: What the vulnerability is, how it was discovered, and what its potential impact is
- Reproduction steps: Sufficient detail to reproduce the issue
- Affected component: Which repository and, if known, which component or version
- Your contact details: For follow-up (optional — anonymous reports are accepted)
PGP encryption is available on request. Email security@aiddlc.ai to request our public key before sending sensitive details.
| Milestone | Timeline |
|---|---|
| Acknowledgement of your report | Within 5 business days of receipt |
| Initial assessment (confirmed / not confirmed) | Within 14 days of receipt |
| Status update | Within 30 days of receipt |
| Fix released or disclosure timeline agreed | Within 90 days of receipt |
We commit to resolving reported vulnerabilities within 90 days of the acknowledgement of your report. If a fix cannot be delivered within 90 days, we will contact you to agree a coordinated disclosure timeline.
If we have not responded within 5 business days of your initial report, you may proceed with coordinated disclosure after making reasonable attempts to contact us.
- Acknowledge your report within 5 business days
- Provide a status update within 30 days
- Credit you in the release notes for the fix, unless you request anonymity
- Notify you when a fix is released
- Keep you informed of our progress throughout
- Do not open public GitHub issues for security vulnerabilities
- Do not disclose the vulnerability publicly before the 90-day window has elapsed (or a fix has been released, whichever is earlier)
- Do not access data you do not have authorisation to access in the course of your research
- Do not perform denial-of-service attacks or any action that could harm the availability of the service for other users
| Version | Supported |
|---|---|
| reference-portal: latest release | Yes |
| reference-portal: prior release | Security patches only |
| website: latest | Yes |
Maintained by 10QBIT Technologies · security@aiddlc.ai