Security contact

Primary channel - GitHub Security Advisories

Use GitHub's private vulnerability reporting. Reports are kept confidential until coordinated disclosure.

Do NOT open a public GitHub issue describing a vulnerability. Do NOT post to public forums or social media until the embargo period has ended.

Scope

This policy covers:

  • The ChangeSpec specification itself - flaws that cause any conforming implementation to be insecure.
  • Reference implementations in Go, TypeScript, and Python.
  • ChangeSpec-operated infrastructure: registry service, key aggregation, documentation hosting.
  • The conformance test suite - flaws that allow non-conforming implementations to pass.

In scope:

  • Flaws in signature design, canonicalization, key distribution, or trust model.
  • Denial-of-service attacks against reference implementations or infrastructure.
  • Authentication, authorization, or access control issues in the registry.
  • Vulnerabilities in dependencies shipped by the reference implementations that affect security.
  • Cryptographic implementation errors in reference validators or verifiers.
  • Any flaw that leads to spoofed events being accepted as authentic.

Out of scope:

  • Vulnerabilities in third-party implementations of the spec - report to those implementers directly.
  • Vulnerabilities in third-party platforms or aggregators that implement ChangeSpec.
  • Reports generated by automated scanners without validation.
  • Self-XSS in unauthenticated areas of the documentation site.

Response SLA

Stage Target Hard limit
Acknowledgement of report 24 hours 72 hours
Initial severity assessment 3 business days 7 business days
Mitigation plan communicated to reporter 7d critical, 14d high, 30d medium/low 45 days
Fix deployed (infrastructure) 14d critical, 30d high, 60d medium 90 days
Fix released (spec/reference impls) 21d critical, 45d high, 90d medium 120 days
Public disclosure Coordinated with reporter, default 90 days 180 days

What to include in a report

  1. A clear description of the vulnerability.
  2. The component(s) affected: spec section, reference implementation name, or infrastructure service.
  3. Steps to reproduce, including minimal test cases where applicable.
  4. Your assessment of severity and impact.
  5. Any proposed mitigations or patches.
  6. Your preferred attribution: name, pseudonym, or anonymous.
  7. Any disclosure deadline you require.

Safe harbor

The ChangeSpec Foundation commits to not pursue legal action against security researchers who:

  • Report vulnerabilities in good faith through the channels described here.
  • Give reasonable time for response before public disclosure.
  • Do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability.
  • Do not extort, threaten, or coerce the Foundation.

This safe harbor applies to civil claims under the US Computer Fraud and Abuse Act, EU Directive 2013/40/EU, and equivalent laws to the extent permitted by law. Researchers should consult their own legal counsel for jurisdiction-specific advice.

security.txt

The full security.txt file following RFC 9116 is available at:

/.well-known/security.txt
Contact: https://github.com/changespec/spec/security/advisories/new
Expires: 2027-05-01T00:00:00.000Z
Acknowledgments: https://changespec.org/security/credits
Preferred-Languages: en
Canonical: https://changespec.org/.well-known/security.txt
Policy: https://changespec.org/security/

Acknowledgements

Reporters who responsibly disclose vulnerabilities are credited in the security advisory, the credits page, and the CHANGELOG entry for the fix release. Credit is opt-in; reporters who request anonymity are listed as "Anonymous Researcher".

No vulnerability reports have been received since the specification launched. This page will be updated as security advisories are published.