| Version | Supported |
|---|---|
| 0.1.x | Yes |
If you discover a security vulnerability in CVM, please report it responsibly:
- Do NOT open a public GitHub issue.
- Email security@grcengineering.com with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any suggested fix (optional)
- You will receive an acknowledgment within 48 hours.
- We aim to provide a fix within 7 days for critical vulnerabilities.
If you suspect a supply chain compromise affecting CVM (e.g., malicious dependency, compromised CI/CD, tampered release artifact):
- Immediately notify security@grcengineering.com with subject line:
[SUPPLY CHAIN] CVM compromise suspected - Include: affected version(s), indicator of compromise, how you discovered it
- We will initiate our incident response playbook:
- Triage and identify affected components (first 30 minutes)
- Pin to known-good dependency versions and disable affected workflows (first 2 hours)
- Rotate all potentially exposed credentials — revoke old BEFORE issuing new (first 4 hours)
- Check all distribution channels: container registries, release artifacts, documentation
- Publish advisory and patched release
All CVM release artifacts include:
- SLSA build provenance attestations (verify with
gh attestation verify) - Cosign signatures on container images (verify with
cosign verify) - SBOM in CycloneDX format (generated by
cargo-cyclonedx) - Cargo.lock committed for reproducible builds