This page is the authoritative location for security advisories published by the Cloud Security Alliance (CSA). CSA is a CVE Numbering Authority (CNA) authorized to assign CVE identifiers for vulnerabilities in CSA products and services.
All advisories on this page are provided without registration or login requirements, in accordance with CNA Operational Rules.
CNA Scope
CSA’s CNA scope covers vulnerabilities in products and services developed, maintained, or provided by the Cloud Security Alliance, including:
- Websites and services —
cloudsecurityalliance.org,csachapter.io,star.watch,webfinger.io, hosted portals, and first-party APIs - Software — Repositories under CloudSecurityAlliance on GitHub, MCP servers and clients, SDKs, and extensions
- AI prompts and instructions — CSA-published prompts, guardrails, skills, and system instructions, including those embedded in MCP servers and clients
Vulnerabilities outside this scope should be reported to the appropriate vendor or to MITRE’s CVE Request form.
Advisories
2026
| CVE ID | Summary | Severity | Affected Product | Published | Updated |
|---|---|---|---|---|---|
| No advisories have been published yet. | |||||
Reporting a Vulnerability
If you have discovered a security vulnerability in a CSA product or service, we encourage you to report it responsibly. Choose the appropriate channel based on where the issue was found:
- GitHub Private Vulnerability Reporting (preferred for software) — Open the affected repository’s Security tab and select Report a vulnerability. This requires a GitHub account and automatically credits the reporter on published advisories.
- Email — Send details to [email protected] for vulnerabilities in websites, services, or non-repository AI artifacts. Include reproduction steps, impact assessment, and any preferred credit instructions. PGP encryption is available on request.
CSA targets acknowledgment within 5 business days, status updates every 30 days, and remediation or coordinated disclosure within 90 days unless a different timeline is mutually agreed.
CSA does not operate a bug bounty program. Safe harbor applies to good-faith security researchers who follow the Vulnerability Disclosure Policy.
Advisory Format
Each CSA security advisory includes the following information, consistent with CVE Record requirements:
- CVE Identifier — A unique CVE ID assigned by CSA as a CNA
- Description — A concise explanation of the vulnerability and its potential impact
- Severity — A CVSS v3.1 or v4.0 base score and severity rating; AIVSS may also be provided for AI-related vulnerabilities
- Affected products and versions — Specific products, versions, and configurations impacted
- Remediation — Fixed versions, patches, workarounds, or mitigations
- References — Links to related resources such as GitHub advisories, commits, and documentation
- Credit — Acknowledgment of the reporter, when authorized and both parties agree
- Timeline — Key dates in the disclosure and remediation process
Related Resources
- CSA Product Security Program — Governance framework, policies, and process documentation
- SECURITY.md — Reporter-facing quick reference
- Vulnerability Disclosure Policy — Full scope, channels, and safe harbor terms
- Severity Classification — Scoring model using CVSS and AIVSS
- SLA Commitments — Response-time targets
- CVE Partner List — CSA’s listing in the CVE Program
Contact
For questions about CSA security advisories or the CVE assignment process, contact [email protected].
To report a vulnerability, use the channels described in the Reporting a Vulnerability section above or email [email protected].
Page last updated: March 2026 · This page is publicly accessible without registration in accordance with CVE CNA Operational Rules v4.1, Section 4.5.2.4.