The RMACD Framework team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.

DO NOT create a public GitHub issue for security vulnerabilities.

Instead, please report security vulnerabilities by emailing:

security@rmacd-framework.org

Include the following information in your report:

• Type of vulnerability (e.g., schema bypass, privilege escalation pattern, compliance gap)
• Full path to the affected file(s) or schema
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if applicable)
• Impact assessment of the vulnerability
• Any suggested remediation

The following are in scope for security reports:

• Vulnerabilities in third-party implementations of RMACD
• Issues in platforms that integrate RMACD (report to those vendors)
• Theoretical attacks without practical exploitation path
• Social engineering attacks

We follow a 90-day responsible disclosure policy:

1. Reporter submits vulnerability privately
2. RMACD team acknowledges and investigates
3. Fix is developed and tested
4. Security advisory is prepared
5. Fix is released with coordinated disclosure
6. Reporter is credited (unless anonymity requested)

Security advisories will be published in:

• GitHub Security Advisories
• CHANGELOG.md (with CVE reference if applicable)
• Announcement on project communication channels

We believe in recognizing security researchers who help improve the framework:

• Credit in the security advisory (with permission)
• Acknowledgment in CHANGELOG.md
• Listing in a future Security Hall of Fame

We consider security research conducted consistent with this policy to be:

• Authorized and lawful
• Helpful to the community
• Conducted in good faith

We will not pursue legal action against researchers who:

• Make a good faith effort to avoid privacy violations and data destruction
• Only interact with accounts they own or have explicit permission to test
• Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
• Report vulnerabilities promptly and do not publicly disclose before resolution

When implementing RMACD in production environments:

• Store permission profiles in encrypted, access-controlled repositories
• Implement profile signing to prevent tampering
• Version control all profile changes with audit trails
• Review profiles quarterly for privilege creep

• Deploy Policy Decision Points (PDP) with high availability
• Implement defense-in-depth (don't rely solely on RMACD)
• Log all policy decisions with tamper-evident logging
• Monitor for anomalous permission patterns

• Classify all data sources before granting agent access
• Re-validate classifications periodically
• Default to higher classification when uncertain
• Implement automated classification verification

• Require multi-factor authentication for approvers
• Implement approval timeouts (don't allow indefinite pending)
• Log all approval decisions with justification
• Separate approval authority from agent operators

• Retain audit logs per regulatory requirements (minimum 1 year)
• Implement real-time alerting for Restricted data operations
• Conduct regular compliance audits against governance matrix
• Test incident response procedures quarterly

• Security issues: security@rmacd-framework.org
• General questions: contact@rmacd-framework.org
• GitHub: https://github.com/rmacdframework/spec

This security policy is effective as of January 2026 and will be reviewed quarterly.