This policy covers security issues in:
- Errors in the normative specification that create a governance gap or could be exploited to produce a misleading CRS score
It does not cover the circuitframework.org website (report those separately).
Do not file a public GitHub Issue for security reports.
Report security issues directly to:
Eric Zielinski, CISO, Jumpmind 📧 security@circuitframework.org
Please include:
- A description of the issue and its potential impact
- Steps to reproduce or a proof-of-concept (for tooling bugs)
- Which file, section, or rule is affected
- Your suggested fix if you have one
We will acknowledge receipt within 2 business days and provide a resolution timeline within 5 business days.
We follow coordinated disclosure. Please allow us reasonable time to address the issue before any public disclosure.