This C2PA open-source library is maintained in partnership with Adobe. At this time, Adobe is taking point on accepting security reports through its HackerOne portal and public bug bounty program.
Please do not create a public GitHub issue for any suspected security vulnerabilities. Instead, please file an issue through Adobe's HackerOne page. If for some reason this is not possible, reach out to cai-security@adobe.com.
Once we receive an actionable vulnerability (meaning there is an available patch, or a code fix is required), we will acknowledge the vulnerability within 24 hours. Our target SLAs for resolution are:
- 72 hours for vulnerabilities with a CVSS score of 9.0-10.0
- 2 weeks for vulnerabilities with a CVSS score of 7.0-8.9
Any vulnerability with a score below 6.9 will be resolved when possible.
This library is not meant to address any potential vulnerabilities within the C2PA specification itself. It is only an implementation of the spec as written. Any suspected vulnerabilities within the spec can be reported here.