If you discover a security vulnerability in this framework (e.g., exposed credentials, insecure configuration guidance, or incorrect security recommendations), please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, please email the maintainers directly or use GitHub's private vulnerability reporting feature:
- Navigate to the Security tab of this repository
- Click "Report a vulnerability"
- Provide a description of the issue, affected files, and potential impact
This security policy covers:
- Configuration guidance — If any playbook or control document recommends an insecure configuration, this is a reportable issue
- Credential exposure — If any file contains credentials, API keys, or sensitive tokens
- Incorrect regulatory guidance — If security-related regulatory guidance is materially incorrect in a way that could lead to insecure deployments
- Link integrity — If any external link redirects to a malicious or unintended destination
We aim to acknowledge security reports within 48 hours and provide a resolution timeline within 5 business days.
This framework provides governance guidance for Microsoft 365 Copilot and does not include executable code, APIs, or services. Security vulnerabilities in Microsoft 365 Copilot itself should be reported to Microsoft via their Security Response Center.