Vulnerability Management: Working Group Charter
June 19, 2026 ยท View on GitHub
Mission
Provides discreet management of security vulnerabilities issues relevant for active CF projects.
Goals
- Provide a single point of contact for security vulnerability reporting and management.
- Provide management of security vulnerability reports through to resolution, including but not limited to triage, reporter and team coordination, embargo negotiation, CVSS scoring, CVE assignments, pre-disclosure and disclosure.
Scope
- Triage incoming security vulnerability reports to security@cloudfoundry.org.
- Manage vulnerabilities through dedicated slack channels.
- When appropriate, negotiate suitable embargo periods with the reporter to afford component teams time to fix the issue before it becomes known publicly.
- When appropriate, assign CVE numbers to vulnerabilities/fixes.
- Publish pre-disclosures to allow all CF distributions time to adopt fixes for high/critical vulnerabilities before they become known publicly.
- Publish disclosures of reported security vulnerabilities.
Non-Goals
- Add security-related features to Cloud Foundry projects.
Technical Lead(s):
Execution Lead(s):
Roles & Technical Assets
Security process and broadcast channels for security disclosures.
name: Vulnerability Management
execution_leads:
- name: Thomas Thalhofer
github: thomasthal
- name: Clemens Hoffmann
github: hoffmaen
technical_leads:
- name: Paul Warren
github: paulcwarren
bots: []
areas: []