This policy covers security vulnerabilities in the Crosswise tool itself — for example, bugs in the CLI that could allow privilege escalation within the tool, unintended access to data passed to or processed by Crosswise, or exposure of credentials used during a scan.

This policy does not cover vulnerabilities in your own Microsoft Entra ID tenant or Azure environment. If you believe you have found a vulnerability in a Microsoft product or service, report it directly to the Microsoft Security Response Center (MSRC).

Preferred: GitHub Private Vulnerability Reporting. Use the Report a vulnerability form in the Security tab. This opens a private draft advisory visible only to you and the maintainer, with no public disclosure until a fix is ready.

No GitHub account: email security@aboutcloud.io.

Please include:

• A description of the vulnerability
• Steps to reproduce it
• The version of Crosswise you are using
• Any relevant logs or output. Please redact tenant identifiers, user identifiers, role assignment data, and other sensitive information before sending. If a vulnerability requires reproduction against actual tenant data, contact us first and we will arrange a secure channel — do not send sensitive data by email.

You should receive an acknowledgement within 7 days and a triage decision within 14 days. There is no guaranteed remediation timeline, but you will be kept informed of progress.

Please do not open a public GitHub issue for security vulnerabilities.

Crosswise is a local tool, not a service. Understanding the data flow is important for users handling sensitive tenant data.

What Crosswise reads. When you run crosswise scan, the tool reads data from Microsoft Graph and Azure Resource Manager APIs using credentials you supply at runtime. The scan reads directory role definitions, role assignments, and principal metadata — no mailbox data, no file content, no Microsoft 365 data.

Where data goes. Scan output is written only to the path you specify with --output. Crosswise does not transmit data to any Crosswise-operated infrastructure, telemetry endpoint, or third-party service. There is no network traffic from Crosswise except to Microsoft APIs (Graph and ARM).

Authentication. Crosswise uses Microsoft's device-code flow. When you run crosswise scan, a code and URL are printed to your terminal. You visit the URL in a browser and authenticate with your normal Entra credentials. This transaction is between you and Microsoft directly. Crosswise never sees your password, MFA response, or refresh token; it receives only the access token that Microsoft issues.

Token handling. Access tokens are held in memory only, for the duration of the collect command. They are never written to disk. The token cache is managed by the Azure Identity SDK and is cleared when the process exits.

Snapshot files. Snapshots may contain sensitive information depending on which collection commands have been run. Treat snapshot files accordingly: do not commit them to version control (.snapshot.json and snapshots/ are in .gitignore), do not share them publicly, and delete them when no longer needed.

Verbose logging. When --verbose is passed, Crosswise logs the URLs it requests and the HTTP status codes it receives. It never logs response bodies, access tokens, or tenant data.

No telemetry. Crosswise collects no usage metrics, crash reports, or analytics of any kind.

Crosswise scans its own container image and Go module dependencies with Trivy on every push to main and on a weekly schedule. The build fails if any Critical-severity CVE is detected. Secret scanning runs on every push and PR via gitleaks, scanning full git history.

Full scan results (all severities) are uploaded to the GitHub Security tab as SARIF on every run. The current posture summary is visible in the README dashboard.

If you discover a vulnerability in a Crosswise dependency (a third-party Go module or the base container image), please report it via the process above rather than opening a public issue. Include the CVE identifier if one exists.

This project does not have a bug bounty program.

Starting in v0.1.3, the Crosswise project operates a pipeline-only Entra app registration named Crosswise-RoleFetcher in the maintainer's tenant. This app is never user-facing:

• It has only RoleManagement.Read.Directory Graph permissions (read public role definitions)
• It accepts no user sign-ins; only the nightly GitHub Actions workflow authenticates as the app
• Authentication uses federated credentials (no client secrets stored); GitHub OIDC tokens are exchanged for Graph access tokens
• The federated credential is scoped to a single repository (arusso-aboutcloud/crosswise) and branch (main)

The app exists solely to authenticate the role-catalog refresh pipeline. It is structurally and operationally separate from any user-facing service. Users of Crosswise do not interact with this app in any way.

Compromise scenarios and mitigations:

• Compromise of GitHub OIDC token: Tokens are short-lived (~10 minutes), scoped to one specific workflow run, and bound to the specific repo+branch via the federated credential. A leaked token cannot be reused outside the scoped context.
• Compromise of the Crosswise-RoleFetcher app credentials: No client secret exists. Compromise would require modifying the app's federated credential configuration, which requires access to the maintainer's Entra tenant — outside the threat surface of the Crosswise repo itself.
• Malicious PR attempting to misuse the workflow: The refresh workflow runs only on main (per the federated credential scope). PR runs do not have access to the credential. Branch protection rules prevent unauthorized commits to main.