Coordinated Vulnerability Disclosure Policy

🛡️ About This Policy

CraftedTrust, operated by Cyber Craft Solutions LLC (craftedcybersolutions.com), is committed to improving the security of the AI agent ecosystem through responsible vulnerability research and coordinated disclosure.

📋 Scope

This policy covers vulnerabilities in:

Open-source MCP (Model Context Protocol) server implementations
AI agent tools and frameworks distributed via npm and PyPI
Google A2A Agent-to-Agent Agent Cards
Related AI agent infrastructure packages

Out of Scope: This policy does not cover vulnerabilities in the MCP specification itself, maintained by the Linux Foundation Agentic AI Foundation.

⏱️ Our Disclosure Timeline

When Cyber Craft Solutions discovers a vulnerability, we follow a 90-day coordinated disclosure process:

Day 0: Discovery & Notification Internal verification and proof of concept development. Maintainer notified via email with a detailed report including description, affected versions, proof of concept, suggested remediation, and CVSS severity rating.

Day 14: First Follow-up Follow-up notification if no response.

Day 30: Second Follow-up Alternative contact channels attempted (GitHub issues, security advisories, project maintainers).

Day 60: Third Follow-up Maintainer notified that public disclosure is planned for Day 90.

Day 90: Public Disclosure Advisory published at touchstone.craftedtrust.com/#advisories with full technical details, remediation guidance, and assigned CVE identifier.

Timeline Adjustments

Extension: We may extend the deadline by up to 30 days if the maintainer is actively working on a fix
Acceleration: We may accelerate disclosure if a vulnerability is being actively exploited in the wild or poses imminent risk to user safety

📊 Severity Rating

We use the Touchstone Security Rating (TSR) alongside CVSS v3.1 scoring. Advisories are categorized as:

Critical
High
Medium
Low

Findings are mapped to CoSAI, OWASP Top 10 for Agentic Applications, EU AI Act Articles 9-15, NIST AI RMF, and AIUC-1.

🔐 CVE Assignment

Cyber Craft Solutions requests CVE identifiers for confirmed vulnerabilities through MITRE or the appropriate CNA. Advisories include CVE identifiers when assigned.

🔔 Reporting a Vulnerability to Cyber Craft Solutions

If you discover a vulnerability in CraftedTrust's own products or services, please report it to [email protected].

What to Include

Description of the vulnerability
Steps to reproduce
Affected components
Proof of concept (if applicable)

Our Response Timeline

Acknowledge receipt within 3 business days
Provide initial assessment within 10 business days

⚖️ Safe Harbor

CraftedTrust considers security research conducted in accordance with this policy to be authorized. We will not pursue legal action against researchers who:

Make a good faith effort to avoid privacy violations, data destruction, and service disruption
Only interact with accounts they own or with explicit permission
Report vulnerabilities promptly and do not disclose details before the agreed timeline
Do not exploit vulnerabilities beyond what is necessary to confirm their existence

Vulnerability Disclosure