Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include Microsoft, Azure, DotNet, AspNet and Xamarin.

If you believe you have found a security vulnerability in any Microsoft-owned repository that meets Microsoft's definition of a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them to the Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/create-report.

If you prefer to submit without logging in, send email to secure@microsoft.com. If possible, encrypt your message with our PGP key; please download it from the Microsoft Security Response Center PGP Key page.

You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at microsoft.com/msrc.

Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:

• Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

This information will help us triage your report more quickly.

If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our Microsoft Bug Bounty Program page for more details about our active programs.

We prefer all communications to be in English.

Microsoft follows the principle of Coordinated Vulnerability Disclosure.

For comprehensive security documentation including security models and security controls, see Security Documentation.

HVE Core releases are cryptographically signed using GitHub Artifact Attestations. This establishes provenance and allows you to verify that release artifacts were built from this repository's official CI/CD pipeline.

1. Install the GitHub CLI if not already available:

   # Windows (winget)
   winget install GitHub.cli
   
   # macOS (Homebrew)
   brew install gh

2. Download the release artifact (replace <version> with the release tag, e.g., v1.2.0):

   gh release download <version> -R microsoft/hve-core -p '*.vsix'

3. Verify the attestation:

   # VSIX extension package
   gh attestation verify hve-core-<version>.vsix -R microsoft/hve-core
   
   # Plugin ZIP package (replace <plugin-id> with the collection id)
   gh attestation verify <plugin-id>.zip -R microsoft/hve-core

A successful verification confirms:

• The artifact was built from the microsoft/hve-core repository
• The build occurred in GitHub Actions
• The artifact has not been modified since signing

Each release includes a Software Bill of Materials (SBOM) in SPDX 2.3 JSON format, cryptographically attested using Sigstore. For verification steps, download instructions, inspection commands, and SPDX field reference, see the SBOM Verification Guide.

Each attested artifact produces a set of companion files uploaded alongside the primary asset:

The .sigstore.json bundle contains the full Sigstore verification material. The .intoto.jsonl file is the DSSE envelope extracted from the bundle for tools that consume in-toto provenance directly.

🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.