Report security issues privately to the project owner at marco.presta@hrsdc-rhdcc.gc.ca.
Do not open a public issue for a suspected vulnerability.
Include:
- A short description of the issue
- Reproduction steps
- The affected file, script, or endpoint
- The likely impact
- Any suggested mitigation
- Acknowledgment: within 48 hours
- Initial assessment: within 7 days
- Fix or disclosure plan: coordinated with the reporter
- Do not commit secrets, tokens, or connection strings.
- Use Azure Key Vault and managed identity where possible.
- Keep RBAC least-privilege.
- Treat cost data, exports, and telemetry as sensitive operational data.
- Archive generated output rather than publishing it as source authority.
- The project talks to the live data model API for governance state.
- Any change that affects authority, evidence, or telemetry should be reviewed as a security-relevant change.
The EVA Foundation takes security seriously. If you discover a security vulnerability, please report it responsibly.
DO NOT open a public GitHub issue for security vulnerabilities.
Send vulnerability reports to: [security contact to be added]
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Fix & Disclosure: Coordinated with reporter
We provide security updates for:
- Current release (main branch)
- Previous major version (if applicable)
When using EVA Foundation projects:
- Never commit credentials (.env files, API keys, connection strings)
- Use Azure Managed Identity for production deployments
- Follow the principle of least privilege for RBAC
- Enable branch protection on your forks
- Keep dependencies updated (Dependabot alerts)
EVA Foundation projects include:
- Azure Entra ID authentication
- Role-based access control (RBAC)
- Secrets management via Azure Key Vault integration
- API request validation and sanitization
- Audit logging for governance compliance
Last Updated: March 1, 2026