Sovereign Disclosure Policy — coordinated, 90-day, signed.
This page is the canonical coordinated vulnerability disclosure (CVD) policy for DEFONEOS. It tells external security researchers exactly how to report a finding, what we promise in return, how we triage, when we publish, and how the SIGIL ledger anchors the chain of custody from report → fix → disclosure. No NDA is required to read or use this page.
Sovereignty Audit Disclosure
1. Reporting channel & PGP
All DEFONEOS security disclosures go to a single, monitored mailbox:
Email: security@csoai.org
PGP key fingerprint:
The full public key block is published at defoneos-public-changelog.html § pgp. The fingerprint above is the only authoritative one — anything else is a phishing attempt.
Back-up channels (in priority order):
- Signal:
+44 7XXX XXXXXX(request via email first; not posted publicly to avoid SIM-swap attacks on researchers). - NCSC CiSP: post to the DEFONEOS advisory thread inside the NCSC Cyber Security Information Sharing Partnership (researchers with active UK security clearance only).
- UK AISI: forward via the UK AI Safety Institute reporting channel if the finding is AI-layer specific (OWASP ASI class C9).
We will not accept disclosures via Twitter/X DMs, Discord, Telegram, or any US-platform messaging service. If you sent it there, we didn't receive it.
2. Our promises to you
If you report a genuine security issue in good faith, we promise:
| # | Promise | Window |
|---|---|---|
| 1 | Acknowledgement of receipt | within 3 working days |
| 2 | Triage + severity assignment + CVE reservation | within 7 days |
| 3 | Technical contact (a named human on the security team) | by the end of triage |
| 4 | Status update on the fix | every 14 days until close |
| 5 | Public credit in the SIGIL tick — or anonymity on request | at disclosure |
| 6 | Coordinated disclosure date locked in writing | within 14 days of triage |
| 7 | No legal action for good-faith research that stays in scope | always |
| 8 | If we disagree on severity, an independent BFT council review | within 14 days of dispute |
If we miss any of these windows, you may publish immediately and we will not contest.
3. Triage & severity
Triage uses the same severity matrix as the pen-test cycle (see defoneos-pen-test-summary.html § 4):
| Severity | CVSS v3.1 | Fix SLA |
|---|---|---|
| CRITICAL | 9.0–10.0 | 24 h patch · 72 h deploy |
| HIGH | 7.0–8.9 | 7 d patch · 14 d deploy |
| MEDIUM | 4.0–6.9 | 30 d patch |
| LOW | 0.1–3.9 | 90 d patch (next minor) |
| INFO | 0.0 | Best-effort |
CVSS is calculated by the security team, not by the researcher — but we share the vector string and rationale, and you can dispute it.
4. 90-day disclosure window
DEFONEOS follows a 90-day default disclosure window, in line with Google Project Zero. The window starts at triage-acknowledgement (Promise 1).
| Day | Action |
|---|---|
| 0 | Acknowledgement, triage starts |
| 7 | Severity locked, CVE reserved, technical contact assigned |
| 14 | Public coordinated-disclosure date locked in writing (we will not silently extend without your consent) |
| 30 | MEDIUM findings expected fixed |
| 45 | HIGH findings expected fixed |
| 72 | CRITICAL findings expected fixed |
| 90 | Public disclosure date (default) |
| 90+ | If we ask for an extension, we put it in writing with a concrete ship-date |
Early disclosure is allowed if (a) actively exploited in the wild, (b) you believe we're acting in bad faith, or (c) we miss any of the promises above.
5. Publication & CVE
Every accepted disclosure produces a public artefact — even if we disagree with you on severity. The artefact includes:
- Ed25519-signed SIGIL tick with the report hash.
- CVE ID assigned by MITRE (we file within 7 days of triage).
- A
defoneos-advisory-YYYY-NNNpage on this site with the finding summary, severity rationale, fix description, and credit line. - Updated entry in the public changelog (defoneos-public-changelog.html).
- UK NCSC and UK AISI notified if severity ≥ HIGH.
We do not embargo a finding for a marketing window or product launch. Disclosure timing follows the SLA, not the calendar.
6. Scope — what's in / out
In scope
- Any DEFONEOS surface at
www.csoai.org,*.csoai.org, or any sovereign subdomain. - Any MCP server in the csoai-defoneos CERTIFIES compartment.
- The BFT council voting surface (quorum endpoint, BLS signature verification).
- The SIGIL ledger append-only chain.
- The sovereign CA chain (root + intermediates + end-entity certs).
- The disclosure mailbox itself (
security@csoai.org) — if you find a mail-server vuln, please tell us.
Out of scope
- meok-defoneos BUILDS surfaces — those are a separate compartment with a separate disclosure address (see meok-defoneos.com).
- dagon LEGACY assets — NDA-only; do not test.
- Third-party services we link to (NCSC, MITRE, GitHub) — report upstream.
- Social engineering, phishing, or physical attacks against CSOAI staff or infrastructure.
- Denial-of-service or volumetric testing — coordinate first.
- Anything that requires accessing another user's data without their consent.
- Findings purely about US-platform components we explicitly forbid (US CDN, US root CA, US cloud API).
7. Safe-harbour for good-faith research
If you:
- stay in scope,
- make a good-faith effort to avoid privacy violations and service disruption,
- report promptly (within 24 h of discovery),
- do not exploit a finding beyond what is necessary to prove it,
- do not publicly disclose before the coordinated date,
then we will not pursue legal action against you. We consider this research a public-good contribution and will defend that position in writing to your employer or funder if asked.
If your research is constrained by local law (e.g. computer-misuse legislation), consult your counsel first — but the safe-harbour is unconditional on our side.
8. Red-line invariants (immutable)
The disclosure process itself is constrained by these invariants — even a researcher acting in good faith cannot push us past them:
- No kinetic-targeting research. We do not accept findings about strike-package / find-fix-finish / kill-order / fire-control surfaces — even for defensive purposes. These are excluded by policy and are not part of DEFONEOS.
- No personal-surveillance research. Track-individual / face-recognition / locate-phone patterns are excluded. If your finding is about a sovereign border-control deployment that uses these, redirect to the relevant NCSC channel.
- No "AUKUS partnership" / "DAIC certified" disclosures. We do not claim these partnerships. If you find a reference to them on our surface, treat it as a phishing or typosquat — report to
security@csoai.organd we'll take it down. - No DEFONEOS-SEAL credential issuance via disclosure. That requires a 33-agent BFT council vote (quorum 23/33) plus human-owner seat activation. A disclosure cannot mint a SEAL.
- No compartment crossing. Findings about meok-defoneos BUILDS or dagon LEGACY stay inside their respective compartments. We will not publish a finding that crosses compartments.
- No defonos.io reference. If you find a link or claim pointing at that domain, that's a known trap. Report it; we will not redirect there.
9. Researcher credits & witness list
Researchers who report valid findings are credited in the public SIGIL tick, the changelog, and (with their permission) on a public honour roll page. You may:
- Use your real name.
- Use a handle.
- Remain anonymous (we still credit "anonymous researcher, NCSC partner").
The first three DEFONEOS honour-roll members (after the policy goes live) will receive a single-use DEFONEOS pin — a small artefact, not a credential. Pins carry no authority to bind the OS to anything.
10. How to verify this surface
- Fetch this page:
curl -sL https://www.csoai.org/sovereign-disclosure-policy.html | head -1must return<!DOCTYPE html>. - Verify the PGP fingerprint against the canonical block on the changelog.
- Cross-check the disclosure promise timeline against the pen-test cycle in defoneos-pen-test-summary.html.
- Read the red-line invariants — they are signed and visible on
www.csoai.orgfor anyone to challenge.