This policy describes OSCAL Compass security and disclosure information.

To report a vulnerability, either:

1. Report it on Github directly you can follow the procedure described here and:

   • Navigate to the security tab (e.g. trestle security tab) on the repository
   • Click on 'Advisories'
   • Click on 'Report a vulnerability'
   • Detail the issue, see below for some examples of info that might be useful including.

2. Send an email to [email protected] detailing the issue and impacted project(s).

Make sure to include all the details that might help maintainers better understand and prioritize it, for example here is a list of details that might be worth adding:

• Versions of impacted project(s) used
• Detailed list of steps to reproduce the vulnerability
• Consequences of the vulnerability
• Severity you feel should be attributed to the vulnerabilities
• Screenshots or logs

Vulnerabilities once fixed will be shared publicly as a Github security advisory and mentioned in the fixed versions' release notes.

All OSCAL Compass projects follow Semantic Versioning terminology and are expressed as x.y.z:

• where x is the major version
• y is the minor version
• and z is the patch version

Security fixes are typically addressed in the main branch and may be backported to one prior minor release depending on severity and feasibility.

Parts of this policy were adapted from the Crossplane security policy