Browse Skills

Safe Harbor Drafter (CISA CPG 5.1 VDP)

    CISA CPG VDP Critical Infrastructure Vulnerability Disclosure security.txt RFC 9116
    Get Started with This Skill

    Overview

    Draft and validate a Vulnerability Disclosure Policy (VDP) with CISA-aligned Safe Harbor language and RFC 9116–compliant reporting. Ensures researcher protection and clear reporting mechanism.

    Example Conversation

    You: We’re a regional water utility and need a public VDP for CPG 5.1. We want CISA’s Safe Harbor language and a clear way for researchers to report—we’ll use security@waterutility.gov and add a .well-known/security.txt.

    Agent: I’ll draft the VDP using the CISA Gold Standard Authorization text from the skill (only the organization name will be replaced with your utility’s name), add a “Reporting a vulnerability” section with security@waterutility.gov and anonymous submission, and create a security.txt with Contact, Expires, and Policy. Then I’ll run vdp_accessibility_check on both.

    Agent: Running vdp_accessibility_check on the draft VDP and security.txt…

    Agent: Check passed. VDP clearly defines the reporting mechanism (email/address and reporting instructions). security.txt has Contact (mailto:security@waterutility.gov), Expires in RFC 3339 format, and Policy pointing to the VDP URL. You can publish the VDP at /vulnerability-disclosure-policy and security.txt at /.well-known/security.txt.

    You: Can we add a web form as a second option?

    Agent: I’ve added “Reports may be submitted via our form at [URL] or by email to security@waterutility.gov ” and re-ran the check. Still pass—the tool detected both form and email as reporting mechanisms.

    What the Tools Validate

    The skill includes one extension tool:

    vdp_accessibility_check validates that researchers can find and use the reporting channel, and that security.txt (if provided) conforms to RFC 9116:

    • Input: Path to the VDP document (Markdown or HTML). Optionally, path to a security.txt file (e.g. .well-known/security.txt).
    • VDP checks: The tool scans the document for a clearly defined reporting mechanism: a security/vulnerability email address, a web form or portal, or explicit “where to report” / “how to submit” language. If none are found, it fails and suggests adding a dedicated “Reporting a vulnerability” section with contact method.
    • security.txt checks (when path provided):
      • Contact — Required; one or more values; each value must be a mailto:, tel:, or https: URI.
      • Expires — Required, exactly once; value must be RFC 3339 date-time (e.g. 2025-12-31T23:59:59Z).
      • Policy — Optional; the tool recommends adding it to link to the VDP URL.
    • Output: A short report with PASS/WARN/FAIL per finding and a summary (e.g. “RESULT: PASS — Reporting mechanism is clearly defined and security.txt conforms to RFC 9116”).
    • Use after drafting or updating the VDP or security.txt so the final policy is accessible and standards-compliant before publication.

    Output Excerpt

    Excerpts from a generated VDP: the Safe Harbor (Authorization) section using CISA’s recommended language, and the reporting section; then a snippet of the accessibility check report.

    Authorization (Safe Harbor) — CISA Gold Standard (excerpt):

    ### Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and Acme Water Authority will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

    Reporting a vulnerability (excerpt):

    ### Reporting a vulnerability

We accept vulnerability reports at security@acmewater.gov or via our form at https://acmewater.gov/report-vulnerability. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.

    VDP accessibility check report (excerpt):

    ======================================================================
VDP ACCESSIBILITY CHECK (CISA CPG 5.1 / RFC 9116)
======================================================================
VDP file: output/vulnerability-disclosure-policy.md
security.txt: output/.well-known/security.txt

--- FINDINGS ---
  [PASS] [VDP] VDP reporting mechanism is defined (email/address, reporting instructions).
  [PASS] [security.txt] Contact clearly defined (1 value(s)): mailto:security@acmewater.gov
  [PASS] [security.txt] Expires present and valid: 2026-12-31T23:59:59Z
  [PASS] [security.txt] Policy URL declared: https://acmewater.gov/vulnerability-disclosure-policy

--- SUMMARY ---
  Pass: 4  Warn: 0  Fail: 0

RESULT: PASS — Reporting mechanism is clearly defined and security.txt (if provided) conforms to RFC 9116.
======================================================================

    Getting Started

    Add your source materials to the project workspace, then activate the Safe Harbor Drafter (CISA CPG 5.1 VDP) skill. The agent will guide you through the process step by step.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started