CimSyntaxGen contains executable code and external libraries, requiring security measures. We use static code scanning and dependency tracking to identify vulnerabilities, which are logged in Jira: CimSyntaxGen Jira Board

If you identify any potential or confirmed security vulnerability in the CimSyntaxGen repository, please report it privately to the CIM Working Group (WG) maintainers via email at [email protected]

In your email:

• Provide your name, company, and contact information.
• Include detailed steps to reproduce the issue and describe its potential impact.

To assess the severity of the vulnerability, you may refer to the Apache severity rating scale for guidance.

• You will receive an acknowledgment of your report within 5 working days.
• If the issue is validated as a security vulnerability, the repository users will be informed, and appropriate action will be taken:
  • Critical and important vulnerabilities will be resolved within 30 calendar days.
  • Moderate or low-severity issues will be addressed in the next planned release.

Please report vulnerabilities in the following scenarios:

• When you believe the CimSyntaxGen repository may have been tampered with.
• When you suspect a security vulnerability but are unsure of its potential impact.

To maintain the security and integrity of CimSyntaxGen, the following controls are in place:

1. Static Code Scanning & Dependency Tracking

• Code is continuously scanned for vulnerabilities using automated security tools.
• External dependencies are monitored and updated to address security risks.

2. Access Control

• Only authorized maintainers have write access.
• Multi-factor authentication (MFA) is enforced for all maintainers.

3. Change Validation & Vulnerability Management

• All pull requests must be reviewed and approved by at least one maintainer.
• Identified vulnerabilities are logged in Jira and assigned for resolution.

4. Audit & Monitoring

• GitHub audit logs are reviewed periodically to track changes and access.
• Alerts are configured for unauthorized access attempts or suspicious activity.

The ENTSO-E governance process ensures that repository integrity is maintained:

• Only maintainers may merge pull requests.
• Maintainers are experienced developers vetted by the ENTSO-E CIM Working Group.
• The approval process ensures that all changes are thoroughly reviewed for integrity and security before integration.

CimSyntaxGen is classified as a Level 1 application, meaning no penetration testing or additional threat modelling is required. Instead, security is maintained through continuous monitoring, scanning, and governance controls to ensure the integrity and safety of the application.