Security
Security disclosure policy
How to report vulnerabilities in the ChangeSpec specification, reference implementations, and operated infrastructure.
Security contact
Use GitHub's private vulnerability reporting. Reports are kept confidential until coordinated disclosure.
Scope
This policy covers:
- The ChangeSpec specification itself - flaws that cause any conforming implementation to be insecure.
- Reference implementations in Go, TypeScript, and Python.
- ChangeSpec-operated infrastructure: registry service, key aggregation, documentation hosting.
- The conformance test suite - flaws that allow non-conforming implementations to pass.
In scope:
- Flaws in signature design, canonicalization, key distribution, or trust model.
- Denial-of-service attacks against reference implementations or infrastructure.
- Authentication, authorization, or access control issues in the registry.
- Vulnerabilities in dependencies shipped by the reference implementations that affect security.
- Cryptographic implementation errors in reference validators or verifiers.
- Any flaw that leads to spoofed events being accepted as authentic.
Out of scope:
- Vulnerabilities in third-party implementations of the spec - report to those implementers directly.
- Vulnerabilities in third-party platforms or aggregators that implement ChangeSpec.
- Reports generated by automated scanners without validation.
- Self-XSS in unauthenticated areas of the documentation site.
Response SLA
| Stage | Target | Hard limit |
|---|---|---|
| Acknowledgement of report | 24 hours | 72 hours |
| Initial severity assessment | 3 business days | 7 business days |
| Mitigation plan communicated to reporter | 7d critical, 14d high, 30d medium/low | 45 days |
| Fix deployed (infrastructure) | 14d critical, 30d high, 60d medium | 90 days |
| Fix released (spec/reference impls) | 21d critical, 45d high, 90d medium | 120 days |
| Public disclosure | Coordinated with reporter, default 90 days | 180 days |
What to include in a report
- A clear description of the vulnerability.
- The component(s) affected: spec section, reference implementation name, or infrastructure service.
- Steps to reproduce, including minimal test cases where applicable.
- Your assessment of severity and impact.
- Any proposed mitigations or patches.
- Your preferred attribution: name, pseudonym, or anonymous.
- Any disclosure deadline you require.
Safe harbor
The ChangeSpec Foundation commits to not pursue legal action against security researchers who:
- Report vulnerabilities in good faith through the channels described here.
- Give reasonable time for response before public disclosure.
- Do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability.
- Do not extort, threaten, or coerce the Foundation.
This safe harbor applies to civil claims under the US Computer Fraud and Abuse Act, EU Directive 2013/40/EU, and equivalent laws to the extent permitted by law. Researchers should consult their own legal counsel for jurisdiction-specific advice.
security.txt
The full security.txt file following RFC 9116 is available at:
Contact: https://github.com/changespec/spec/security/advisories/new
Expires: 2027-05-01T00:00:00.000Z
Acknowledgments: https://changespec.org/security/credits
Preferred-Languages: en
Canonical: https://changespec.org/.well-known/security.txt
Policy: https://changespec.org/security/
Acknowledgements
Reporters who responsibly disclose vulnerabilities are credited in the security advisory, the credits page, and the CHANGELOG entry for the fix release. Credit is opt-in; reporters who request anonymity are listed as "Anonymous Researcher".