Vulnerability disclosure

ControlFrame welcomes responsible reports that help protect evidence workflows, private runners, client workspaces, and artifact custody.

Review status

Do not include secrets, PHI, PII, exploit payloads, or client-specific evidence in public reports. Use approved ControlFrame operator contact channels until a dedicated security inbox is provisioned and verified.

Scope

Public website, authenticated workspace, evidence repository scaffolds, agent orchestration surfaces, private-runner coordination paths, and package-readiness workflows.

Safe reporting

Share affected URL, impact, reproduction summary, browser/runtime details, and timestamps. Do not access tenant data or exfiltrate artifacts.

Triage

Reports are reviewed for severity, reproducibility, affected boundary, client-data risk, and remediation path before disclosure decisions.

Out of scope

Spam, social engineering, denial-of-service, physical attacks, speculative scanner output without impact, and requests to access private client workspaces.

Evidence boundary

Client-specific CMS EDE artifacts and static evidence files are protected surfaces, not public test targets.

Coordinated remediation

ControlFrame prioritizes fixes that protect authentication, authorization, artifact custody, runner signing, storage access, and audit-log integrity.