The Cloud Security Alliance (CSA) documents its full product security program in the csa-product-security repository. The guidance below summarizes how to report potential vulnerabilities.

• Websites and services such as cloudsecurityalliance.org, csachapter.io, star.watch, webfinger.io, hosted portals, and first-party APIs.
• Software in CSA-managed GitHub organizations, including MCP servers/clients, SDKs, and extensions:
  • CloudSecurityAlliance
  • CloudSecurityAlliance-Chatbots
  • CloudSecurityAlliance-DataSets
  • modelcontextprotocol-security
  • RiskRubric
• AI prompts and instructions published by CSA, whether embedded in MCP artifacts or distributed separately.

General model-behavior research without a CSA artifact, third-party platforms, or upstream dependencies we do not control are out of scope. See the Vulnerability Disclosure Policy for details.

• GitHub Private Vulnerability Reporting (preferred for software or repo-hosted AI artifacts): Open the repository’s Security tab, select Report a vulnerability, and provide reproduction steps, impact, and affected versions. Reports stay private until we publish an advisory, and GitHub credits the reporter automatically. GitHub login required.
• Email security@cloudsecurityalliance.org (for websites/services, AI content published outside GitHub, or if you prefer not to use PVR). Include reproduction steps, impact, affected assets, and credit preference. Anonymous or pseudonymous reports and PGP-encrypted messages are accepted.

CSA follows coordinated disclosure with explicit timelines:

• Acknowledge every report within 5 business days.
• Provide substantive status updates at least every 30 days while a case is open.
• Target remediation or public disclosure within 90 days of acknowledgment unless we mutually agree on a different schedule.

We default to publishing advisories openly through GitHub as soon as practical, even if a fix is still in progress. See the SLA commitments and governance framework for the canonical definitions.

CSA supports good-faith security research. If you respect this policy, avoid unnecessary service disruption, and give us a reasonable chance to remediate before disclosure, we will not pursue legal action. Keep exploitation to the minimum required to demonstrate impact and do not access, modify, or exfiltrate data beyond what is necessary to prove the issue.

The complete governance model, handling process, and severity expectations live in csa-product-security/docs/. Start with:

• Vulnerability Disclosure Policy
• Vulnerability Handling Process
• Severity Classification

Copy this SECURITY.md into the .github repository to apply it organization-wide; individual repos can override it if they have unique requirements.