Security

Responsible disclosure and security resources for CFGMS

Report a Vulnerability

Help us keep CFGMS secure for everyone

⚠️ Do Not Report Publicly

Please do not open GitHub issues or discuss security vulnerabilities in public channels. This protects CFGMS users while we develop and deploy fixes.

What to Include

  • Type of issue — e.g., auth bypass, injection, XSS
  • Affected component — controller, steward, API
  • Attack scenario — step-by-step reproduction
  • Impact & affected versions

Send vulnerability reports to:

🔐 PGP Encrypted Email (Recommended)

For sensitive security reports, we strongly recommend using PGP encryption.

Download PGP Public Key PGP Email Guide

Key Fingerprint:

B489 6960 2965 C241 E851 71F9 258D 1EDC F411 6969

Key ID: 258D1EDCF4116969

What to Expect

Our commitment to security researchers

Our Response

  • Acknowledgment within 48 hours
  • Initial assessment within 5 business days
  • Regular updates during investigation
  • Credit in advisories (with permission)

Safe Harbor

We will not take legal action against researchers who responsibly disclose vulnerabilities according to this policy.

Your security research helps make CFGMS better for everyone.

Critical Patch within 7 days
High Patch within 14 days
Medium Patch within 30 days
Low Next regular release

Security Resources

Stay informed about CFGMS security

GitHub Security Advisories

View published security advisories

 Security Policy

Full security policy documentation

 PGP Email Guide

How to send encrypted reports

 CFGMS Repository

Main project repository on GitHub

Other Contacts

General security questions: security@cfg.is

Security policy questions: conduct@cfg.is

Commercial licensing: licensing@cfg.is