Coordinated vulnerability disclosure
We welcome reports of security issues in any sapctl-maintained software and infrastructure. Please email security@sapctl.dev with the details. Our PGP key is published at /.well-known/security.txt; fingerprint 5C1F 9C8D 2D9E 4D6B 91FA A6E0 3A1E 44C4 1E0C E1AC.
We acknowledge within 24 hours, triage within 3 business days, and aim to ship a fix within 30 days for high-severity issues. We credit reporters in the published advisory unless you ask us not to.
In scope
- The
sapctlcommand-line tool and its first-party plug-ins. - The
sapctl.devwebsite and the Trust Portal. - Build, signing, and release infrastructure.
Out of scope
- SAP-vendor systems, third-party SAAS used as sub-processors, and customer SAP tenants.
- Reports requiring physical access, social engineering of staff, or DDoS.
- Findings produced solely by automated scanners without a working proof-of-concept.
Safe harbour
Good-faith research under this policy is authorised: we will not pursue legal action against researchers who comply with this policy, avoid privacy violations and service disruption, and give us reasonable time to fix issues before public disclosure.
Supply chain
- Every release is reproducibly built and signed with cosign keyless attestations.
- Each release ships a CycloneDX 1.7 SBOM and SPDX 3.0.1 SBOM, plus SLSA L3 provenance.
- Dependency upgrades go through automated SCA and human review; transitive-dependency CVEs trigger an internal SLA.
CRA Article 14 reporting
From 11 Sept 2026, sapctl will report actively exploited vulnerabilities to ENISA via the single reporting platform within 24 hours of awareness (early warning), with a notification within 72 hours and a final report within 14 days. Severe incidents are reported on the same cadence. Customers can subscribe to a private advisory feed by emailing security@sapctl.dev.
Advisories
Public advisories are published as GitHub Security Advisories on sapctl/sapctl and mirrored as an RSS feed at /advisories.xml. No active advisories at the time of writing.
Contact
security@sapctl.dev · PGP fingerprint 5C1F 9C8D 2D9E 4D6B 91FA A6E0 3A1E 44C4 1E0C E1AC · security.txt