If you discover a security vulnerability in the ADP specification or reference implementation, please report it responsibly.
Do not open a public issue.
Instead, email security@gouvernance.ai with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and provide a detailed response within 7 days.
This security policy covers:
- The ADP specification documents
- JSON schemas and validation rules
- Reference implementation code
- Example configurations
| Version | Supported |
|---|---|
| 0.1.x | ✅ Current |
The ADP specification includes several security-relevant components:
- Hash-chained trace integrity: Decision traces use SHA-256 hash chaining to ensure immutability
- Authorization matrix: Defines mandatory human approval requirements
- Self-modification detection: D4 classification requires human approval by design
- Policy enforcement: Governance policies can enforce security boundaries
When implementing ADP, ensure that trace storage is append-only, hash chains are validated on read, approval workflows use authenticated channels, and policy evaluation cannot be bypassed by agents.