The ODS Foundation takes security seriously. We appreciate your efforts to responsibly disclose vulnerabilities in the ODS specification or reference implementations.
For security vulnerabilities, please DO NOT open a public GitHub issue.
Instead, report security issues through one of these channels:
- Go to the Security tab
- Click "Report a vulnerability"
- Fill in the details
Send a detailed report to: security@ods-foundation.org (coming soon)
For now, use GitHub Security Advisories.
To help us understand and address the issue quickly, please include:
- Description of the vulnerability
- Type of issue (e.g., schema flaw, cryptographic weakness, implementation gap)
- Step-by-step reproduction
- Affected versions of ODS
- Potential impact assessment
- Suggested fix (if applicable)
- Your contact information for follow-up questions
We commit to:
| Timeline | Action |
|---|---|
| 24 hours | Initial acknowledgment of report |
| 72 hours | Severity assessment completed |
| 7 days | Mitigation strategy proposed |
| 30 days | Fix released (for critical issues) |
| 90 days | Public disclosure (coordinated) |
We classify vulnerabilities using CVSS 3.1:
- Critical (9.0-10.0): Immediate action required; affects core trust model
- High (7.0-8.9): Significant security impact; mitigation prioritized
- Medium (4.0-6.9): Moderate security impact; addressed in next release
- Low (0.1-3.9): Minor security improvement; addressed in regular cycle
We follow coordinated disclosure:
- Report received privately
- Validation and severity assessment
- Fix developed and tested
- Patch released to all known implementers
- Public advisory published (typically 30-90 days after report)
- CVE assigned (for significant vulnerabilities)
This security policy covers:
✅ The ODS specification itself
✅ The reference implementation (if hosted in this organization)
✅ Schema validation tools
✅ Cryptographic verification mechanisms
This policy does NOT cover:
❌ Third-party implementations (report to those vendors)
❌ Issues in dependencies (report upstream)
❌ User errors or misconfigurations
We recognize security researchers who responsibly disclose vulnerabilities:
- Hall of Fame — Listed in our security acknowledgments
- Public credit in security advisories (with permission)
- CVE attribution for significant findings
Currently, the ODS Foundation does not offer a paid bug bounty program. However:
- Responsible disclosures are highly valued
- Recognition is provided
- Future bug bounty programs will be announced if established
When implementing ODS, follow these security guidelines:
- ✅ Use SHA-256 minimum for hashing (per specification)
- ✅ Implement Merkle trees correctly for batch verification
- ✅ Store cryptographic keys securely (HSM recommended)
- ✅ Rotate keys according to your security policy
- ✅ Use append-only storage with WORM guarantees
- ✅ Encrypt data at rest
- ✅ Encrypt data in transit (TLS 1.3+)
- ✅ Implement proper access controls
- ✅ Audit all access to decision data
- ✅ Use strong authentication (OAuth 2.0, JWT)
- ✅ Implement rate limiting
- ✅ Validate all inputs
- ✅ Log all API access
- ✅ Use HTTPS only
- ✅ Keep dependencies updated
- ✅ Run security scans regularly
- ✅ Conduct penetration testing
- ✅ Follow OWASP guidelines
- ✅ Use static analysis tools
For security-related questions or concerns:
- GitHub Security: Security Advisories
- Public Discussions: GitHub Discussions (non-sensitive only)
Security is a shared responsibility.
🏛️ ODS Foundation