Please report security concerns, suspected vulnerabilities, or sensitive disclosure issues privately by contacting:
Do not open public issues for reports that may expose sensitive information, exploit details, or private operational data.
This security policy applies to:
- Errors or inconsistencies in the STIX bundle that may cause issues in consuming platforms.
- Critical errors in the taxonomy with operational impact (incorrect associations, conceptual contradictions).
- Issues with files published in this repository.
Out of scope:
- Feature requests, taxonomy extensions, or framework improvement proposals (please open a public issue).
- Typos or minor editorial corrections (please open a public issue or pull request).
We aim to acknowledge reports within 5 business days and provide an initial assessment within 15 business days.
Critical issues affecting the integrity of the framework may be addressed through urgent patches or version updates.
We follow responsible disclosure principles. We ask reporters to allow reasonable time for assessment and resolution before public disclosure of critical findings.