Coordinated Vulnerability Disclosure (CVD) Policy

​

1. Scope

​

This policy applies to all versions and components of ESCRA, including third-party integrations.
Our goal is to work collaboratively with security researchers to identify, report, and resolve vulnerabilities in a secure and timely manner.

 

2. Reporting Channels

​

We provide the following confidential channels for reporting vulnerabilities:

• Email: security@escra.de

• PGP-encrypted reports: Fingerprint: BB6E 9CF0A2FFC5681F2C67E9CDFBCDF70398A5D9
  Public Key: Download show

• Web form: https://escra.de/kontakt

We discourage reporting via slow or non-confidential channels (e.g. public issue trackers). If used, we may need to follow up via a secure channel.

 

3. Acknowledgement & Response

 

We aim to:

• Acknowledge receipt of your report within 5 business days.

• Begin assessment and keep you informed of progress.

 

4. Coordination & Remediation

​​

• We treat reporter identities as confidential and will anonymize them upon request.

• We work closely with you to clarify technical details.

• After analysis, we will prepare a patch, update, or mitigation, ideally within 30 days of confirming the vulnerability.

 

5. CVE Assignment & Public Disclosure

​

• Where applicable, we will request a CVE ID for the reported vulnerability.

• Public disclosure (e.g. via advisory) will typically occur no sooner than 14 days after a fix has been released, unless active exploitation or other risks require earlier disclosure.

 

6. Safe Harbor

​

If you act in good faith and comply with this policy:

• We will not pursue legal action against you.

• No NDA or commercial agreement is required to submit a report.

 

7. Scope Management

​

In scope:

• Core components

• APIs

• Web interfaces

• Libraries

• Deployment templates

Out of scope:

• Deployments on third-party infrastructure

• Physical security components

 

8. Communication & Transparency

​

• We respond within 5 business days of receiving a report.

• We provide regular updates on remediation progress and may share patches for validation.

• Final disclosure is handled transparently through advisories or blog posts.

 

9. Typical Timeline

​

StageTarget SLA

5 business days: Acknowledgement

30 days: Patch or mitigation

14 days after fix: Public disclosure (where appropriate)

 

10. Alternatives & Escalation

 

If we cannot reach an agreement or communication breaks down, either party may request assistance from a neutral third party

( such as: certcc.github.io, ntia.doc.gov, The GitHub Blog, CISA)

11. Versioning

​

• Policy version: 1.0

• Last updated: July 24, 2025

• Future updates will be documented here along with their effective dates.

​

​

​