DEFONEOS · Public Security Surface

Sovereign Disclosure Policy — coordinated, 90-day, signed.

This page is the canonical coordinated vulnerability disclosure (CVD) policy for DEFONEOS. It tells external security researchers exactly how to report a finding, what we promise in return, how we triage, when we publish, and how the SIGIL ledger anchors the chain of custody from report → fix → disclosure. No NDA is required to read or use this page.

Sovereignty Audit Disclosure

1. Reporting channel & PGP

All DEFONEOS security disclosures go to a single, monitored mailbox:

Email: security@csoai.org

PGP key fingerprint:

pub ed25519 2026-05-14 [SC] Key fingerprint = 9C4A 7E1D 5B82 F0E3 6D71 8C44 1A09 7B3F 2E6D 5C18 uid DEFONEOS Security Coordination <security@csoai.org> sub ed25519 2026-05-14 [S] [expires: 2028-05-14]

The full public key block is published at defoneos-public-changelog.html § pgp. The fingerprint above is the only authoritative one — anything else is a phishing attempt.

Back-up channels (in priority order):

  1. Signal: +44 7XXX XXXXXX (request via email first; not posted publicly to avoid SIM-swap attacks on researchers).
  2. NCSC CiSP: post to the DEFONEOS advisory thread inside the NCSC Cyber Security Information Sharing Partnership (researchers with active UK security clearance only).
  3. UK AISI: forward via the UK AI Safety Institute reporting channel if the finding is AI-layer specific (OWASP ASI class C9).

We will not accept disclosures via Twitter/X DMs, Discord, Telegram, or any US-platform messaging service. If you sent it there, we didn't receive it.

2. Our promises to you

If you report a genuine security issue in good faith, we promise:

#PromiseWindow
1Acknowledgement of receiptwithin 3 working days
2Triage + severity assignment + CVE reservationwithin 7 days
3Technical contact (a named human on the security team)by the end of triage
4Status update on the fixevery 14 days until close
5Public credit in the SIGIL tick — or anonymity on requestat disclosure
6Coordinated disclosure date locked in writingwithin 14 days of triage
7No legal action for good-faith research that stays in scopealways
8If we disagree on severity, an independent BFT council reviewwithin 14 days of dispute

If we miss any of these windows, you may publish immediately and we will not contest.

3. Triage & severity

Triage uses the same severity matrix as the pen-test cycle (see defoneos-pen-test-summary.html § 4):

SeverityCVSS v3.1Fix SLA
CRITICAL9.0–10.024 h patch · 72 h deploy
HIGH7.0–8.97 d patch · 14 d deploy
MEDIUM4.0–6.930 d patch
LOW0.1–3.990 d patch (next minor)
INFO0.0Best-effort

CVSS is calculated by the security team, not by the researcher — but we share the vector string and rationale, and you can dispute it.

4. 90-day disclosure window

DEFONEOS follows a 90-day default disclosure window, in line with Google Project Zero. The window starts at triage-acknowledgement (Promise 1).

DayAction
0Acknowledgement, triage starts
7Severity locked, CVE reserved, technical contact assigned
14Public coordinated-disclosure date locked in writing (we will not silently extend without your consent)
30MEDIUM findings expected fixed
45HIGH findings expected fixed
72CRITICAL findings expected fixed
90Public disclosure date (default)
90+If we ask for an extension, we put it in writing with a concrete ship-date

Early disclosure is allowed if (a) actively exploited in the wild, (b) you believe we're acting in bad faith, or (c) we miss any of the promises above.

5. Publication & CVE

Every accepted disclosure produces a public artefact — even if we disagree with you on severity. The artefact includes:

We do not embargo a finding for a marketing window or product launch. Disclosure timing follows the SLA, not the calendar.

6. Scope — what's in / out

In scope

Out of scope

7. Safe-harbour for good-faith research

If you:

then we will not pursue legal action against you. We consider this research a public-good contribution and will defend that position in writing to your employer or funder if asked.

If your research is constrained by local law (e.g. computer-misuse legislation), consult your counsel first — but the safe-harbour is unconditional on our side.

8. Red-line invariants (immutable)

The disclosure process itself is constrained by these invariants — even a researcher acting in good faith cannot push us past them:

9. Researcher credits & witness list

Researchers who report valid findings are credited in the public SIGIL tick, the changelog, and (with their permission) on a public honour roll page. You may:

The first three DEFONEOS honour-roll members (after the policy goes live) will receive a single-use DEFONEOS pin — a small artefact, not a credential. Pins carry no authority to bind the OS to anything.

10. How to verify this surface

  1. Fetch this page: curl -sL https://www.csoai.org/sovereign-disclosure-policy.html | head -1 must return <!DOCTYPE html>.
  2. Verify the PGP fingerprint against the canonical block on the changelog.
  3. Cross-check the disclosure promise timeline against the pen-test cycle in defoneos-pen-test-summary.html.
  4. Read the red-line invariants — they are signed and visible on www.csoai.org for anyone to challenge.