This policy addresses reporting security vulnerabilities, harms, or issues identified with the C2PA specification via a coordinated disclosure process.

This guidance is specifically for reporting issues within the specification itself. If you have found a vulnerability within a specific implementation of the specification, please report the issue directly to the author(s) of the implementation.

As an example, the specification defines byte ranges that should be included within the cryptographic hashes. If it is discovered that the specified ranges failed to include a section of bytes that are necessary to protect against a specific threat, then that would be a valid report since the issue is specifically with the specification's requirements and recommendations. All implementations following the requirements and recommendations provided within the specification would have this issue.

If the issue only occurs within a specific implementation due to behavior specific to that implementation, then that is more likely to be an issue that needs to be reported to the author of the implementation.

Please only report issues against the latest version of the specification. The pull down menu in the top right of the specification web page on the c2pa.org website will show all of the available versions. Include the version of the specification that you used in your analysis within your report.

There are two methods for reporting a security vulnerability for the specification. The preferred method is to use the Private Security Vulnerability feature on GitHub. To use this method, click on the Security tab of the specifications repo and select "Report a vulnerability". If GitHub is not an option, then it is also possible to report issues by sending an email to security { @ } c2pa.org.

When reporting the issue, please quote the relevant section of the specification that defines the potentially harmful guidance. The specification often references the same concept multiple times, so direct references can speed the triage process. If the issue is due to missing guidance, please be clear that you are reporting that the specification does not cover the topic of your report. When explaining the issue, please clearly define the specific threat, and the steps necessary to exploit the issue.

The coordinated disclosure process can also be used to report issues with the accompanying Informative Documents provided on the C2PA website.

Reports received via the coordinated disclosure workflow will be reviewed by C2PA members to determine whether they apply to the specification. If we believe that the received issue has an impact on the security of the ecosystem and requires an update to the specification or supporting documents, we will respond to the reporter with information on how we can coordinate moving forward, depending on the type of issue. Once the changes are published, we will publicly acknowledge the issue and the relevant changes to the specification or supporting documents. If the reporter wishes to be acknowledged, we will also provide public acknowledgement of their contribution.

If the report is determined to be an issue with a specific implementation of the specification, we will respond to the reporter asking that they send the details to the owners of the implementation. If we believe that the report is not a security issue but merits further discussion, we will move the discussion to a public GitHub issue to continue the conversation with the reporter.

The C2PA does not offer any bounty rewards at this time.