TrustSurface Framework Governance Framework for Digital Trust
v1.1 public draft
Home/Governance/Security and Vulnerability Disclosure
Governance

Security and Vulnerability Disclosure

How to report security concerns.

TSF-SEC-1 Operational

1. Purpose

This document describes the scope of security considerations for the TrustSurface Framework repository and explains how to report security concerns.

2. Scope

The TrustSurface Framework repository contains documentation and diagrams only. It is not a software product, does not include executable code, and does not provide or interact with any runtime services.

Accordingly:

  • There is no attack surface in the traditional software security sense.
  • Security concerns are most likely to arise from errors or misleading guidance within the framework content itself - not from code vulnerabilities.
  • TrustSurface does not process, store, or transmit user data of any kind.

3. How to report a security concern

If you believe there is a security concern in example material or guidance within this repository:

  1. Open a GitHub Issue with the prefix [Security] in the title.
  2. Describe the concern clearly, including the affected document or section.
  3. If the concern relates to potentially sensitive matters (e.g., an issue that should not be disclosed publicly before review), contact the maintainer directly before opening a public issue.

For sensitive matters, contact the maintainer listed in AUTHOR-NOTE.md.

Repository: https://github.com/Bchetcuti/trustsurface-framework

4. What constitutes a security concern in this context

Examples of in-scope concerns:

  • Guidance that could lead an implementer to adopt a materially insecure configuration
  • Example content that inadvertently models a harmful practice
  • A trust signal definition that misrepresents the security posture it is intended to describe

Examples of out-of-scope concerns:

  • Requests for new features or framework changes (use [Signal] or [Governance] issue prefixes instead - see TSF-CNS-1)
  • General disagreements with the framework’s approach
  • TSF-CNS-1 - Consultation and Contribution Guidance (general issue and contribution process)
  • TSF-LIC-1 - Licence
  • TSF-CIT-1 - Citation Guidance

Summary statement

TSF-SEC-1 clarifies that the TrustSurface repository is a documentation resource, not a software product, and provides the process for raising security concerns about framework content. TrustSurface does not process user data.