Security is a core principle of the Universal Prompt Security Standard (UPSS). This document outlines our security policies, vulnerability reporting procedures, and commitment to maintaining a secure standard.

We provide security updates for the following versions:

We take security vulnerabilities seriously and appreciate responsible disclosure. If you discover a security vulnerability in UPSS, related tools, or documentation, please report it responsibly.

DO NOT report security vulnerabilities through public GitHub issues, discussions, or any other public forum.

Instead, please report security vulnerabilities through:

GitHub Security Advisories: https://github.com/upss-standard/universal-prompt-security-standard/security/advisories

This is the preferred and most secure method for reporting vulnerabilities.

Please provide the following information in your report:

1. Description:

   • Clear description of the vulnerability
   • Type of issue (e.g., injection, authentication bypass, information disclosure)

2. Impact:

   • Potential impact and severity assessment
   • Affected components or systems
   • Attack scenario or proof of concept

3. Reproduction:

   • Step-by-step instructions to reproduce
   • Proof of concept code or exploit (if applicable)
   • Screenshots or videos (if helpful)

4. Environment:

   • Affected versions
   • Configuration details
   • Platform or language specifics

5. Suggested Fix:

   • Proposed remediation (if you have one)
   • Alternative mitigations

We are committed to responding promptly to security reports:

We use the following severity classifications based on CVSS v3.1:

Critical (CVSS 9.0-10.0)

• Remote code execution
• Authentication bypass in production systems
• Data breach affecting multiple organizations
• Response time: 24-48 hours for patch

High (CVSS 7.0-8.9)

• Privilege escalation
• SQL injection or other injection attacks
• Sensitive data exposure
• Response time: 7 days for patch

Medium (CVSS 4.0-6.9)

• Cross-site scripting (XSS)
• Denial of service (DoS)
• Information disclosure
• Response time: 30 days for patch

Low (CVSS 0.1-3.9)

• Minor information leaks
• Rate limiting issues
• Non-critical configuration weaknesses
• Response time: 90 days for patch

We follow a coordinated disclosure model:

1. Private Disclosure:

   • Reporter notifies UPSS security team
   • Security team confirms and investigates
   • Patch is developed and tested

2. Pre-Disclosure:

   • Reporter is kept informed of progress
   • Embargo period agreed upon (typically 90 days)
   • Patch is prepared for release

3. Public Disclosure:

   • Patch is released
   • Security advisory is published
   • Credit is given to reporter (if desired)
   • CVE is requested if applicable

In some cases, early disclosure may be necessary:

• Active exploitation in the wild
• Information already publicly available
• Significant public safety risk

We will coordinate with the reporter before making any early disclosure.

Security advisories are published at:

• GitHub Security Advisories: https://github.com/upss-standard/universal-prompt-security-standard/security/advisories
• GitHub Releases: https://github.com/upss-standard/universal-prompt-security-standard/releases

Each advisory includes:

• CVE ID: (if applicable)
• Severity: Critical, High, Medium, or Low
• Affected Versions: Specific versions impacted
• Description: Detailed vulnerability description
• Impact: Potential consequences
• Remediation: How to fix or mitigate
• Credit: Attribution to reporter (if approved)
• Timeline: Discovery, disclosure, and patch dates

When implementing UPSS, follow these security best practices:

• No Hardcoded Secrets: Use environment variables or secure vaults
• Least Privilege: Grant minimum necessary permissions
• Regular Updates: Keep dependencies and tools updated
• Access Control: Implement proper authentication and authorization

• Input Validation: Always validate and sanitize inputs
• Checksum Verification: Verify prompt integrity with checksums
• Encryption: Encrypt sensitive prompts at rest and in transit
• Audit Logging: Log all prompt access and modifications

• Code Review: Require peer review for all changes
• Security Testing: Include security tests in CI/CD pipeline
• Dependency Scanning: Regularly scan for vulnerable dependencies
• Static Analysis: Use static analysis tools to detect security issues

• Monitoring: Implement real-time security monitoring
• Incident Response: Have an incident response plan
• Backup and Recovery: Maintain secure backups
• Access Logs: Review access logs regularly

We encourage security testing of UPSS:

You may perform security testing on:

• Your own UPSS implementations
• Reference implementations in this repository
• Public demo environments (when available)

When conducting security testing:

1. Do Not:

   • Test against production systems of other organizations
   • Perform destructive testing
   • Access or modify data you don't own
   • Conduct social engineering attacks
   • Violate any laws or regulations

2. Do:

   • Test in isolated environments
   • Document your findings
   • Report vulnerabilities responsibly
   • Respect privacy and confidentiality

We recognize individuals and organizations that contribute to UPSS security:

Security Champion

• Reported a valid security vulnerability
• Name listed in SECURITY_CHAMPIONS.md

Security Contributor

• Multiple security contributions
• Enhanced security features or documentation
• Name and contribution listed

Security Leader

• Significant security improvements
• Ongoing security contributions
• Public recognition and speaking opportunities

Subscribe to security updates:

• GitHub Watch: Enable security alerts and notifications on the repository
• GitHub Releases: Subscribe to release notifications

• Critical/High: Immediate notification within 24 hours
• Medium: Weekly security bulletin
• Low: Monthly security summary

UPSS aligns with the following security standards:

• OWASP Top 10: Web application security risks
• NIST Cybersecurity Framework: Risk management framework
• ISO 27001: Information security management
• SOC 2: Security and availability controls
• CIS Controls: Critical security controls

We are planning to launch a bug bounty program in Q2 2026. Details will be announced on:

• GitHub Security Advisories for vulnerability reports

The UPSS Security Team is responsible for:

• Reviewing and responding to security reports
• Coordinating vulnerability disclosure
• Publishing security advisories
• Maintaining security documentation
• Conducting security audits

• GitHub Security Advisories: https://github.com/upss-standard/universal-prompt-security-standard/security/advisories
• GitHub Issues: For non-sensitive security questions

We support safe harbor for security researchers who:

• Act in good faith
• Follow this security policy
• Report vulnerabilities responsibly
• Do not violate any laws

We commit to:

• Not pursue legal action for good faith security research
• Work with you to understand and resolve issues
• Recognize your contribution (if desired)

Safe harbor does not apply to:

• Violations of applicable laws
• Intentional harm to users or systems
• Unauthorized access to data
• Social engineering attacks
• Physical security testing

For questions about this security policy:

• GitHub Issues: Open an issue labeled "security-question"
• GitHub Discussions: Start a discussion in the security category

We thank the security research community for helping keep UPSS and its users safe. Special thanks to:

• Security researchers who have responsibly disclosed vulnerabilities
• Organizations that have conducted security audits
• Community members who contribute to security improvements

• 1.0.0 (October 29, 2025): Initial security policy

This security policy is reviewed annually and updated as needed to reflect current best practices and threat landscape.

Last Updated: October 29, 2025
Next Review: October 29, 2026