From a59f803151efe0cdde9f4bd560588f334e0667b4 Mon Sep 17 00:00:00 2001 From: Jason Date: Fri, 10 Apr 2026 14:41:17 +1000 Subject: [PATCH 1/5] docs(skill): add third-party attribution `owasp-infrastructure` --- .../skills/security/owasp-infrastructure/SKILL.md | 13 ++++++++++++- .../references/00-vulnerability-index.md | 5 +++++ .../references/01-outdated-software.md | 5 +++++ .../references/02-insufficient-threat-detection.md | 5 +++++ .../references/03-insecure-configurations.md | 5 +++++ .../04-insecure-resource-user-management.md | 5 +++++ .../references/05-insecure-use-of-cryptography.md | 5 +++++ .../06-insecure-network-access-management.md | 5 +++++ ...7-insecure-authentication-default-credentials.md | 5 +++++ .../references/08-information-leakage.md | 5 +++++ ...secure-access-resources-management-components.md | 5 +++++ ...0-insufficient-asset-management-documentation.md | 5 +++++ 12 files changed, 67 insertions(+), 1 deletion(-) diff --git a/.github/skills/security/owasp-infrastructure/SKILL.md b/.github/skills/security/owasp-infrastructure/SKILL.md index 19dcf1702..f7f82f372 100644 --- a/.github/skills/security/owasp-infrastructure/SKILL.md +++ b/.github/skills/security/owasp-infrastructure/SKILL.md @@ -12,7 +12,7 @@ metadata: content_based_on: "https://owasp.org/www-project-top-10-infrastructure-security-risks/" --- -# OWASP Infrastructure Top 10 — Skill Entry +# OWASP® Infrastructure Top 10 — Skill Entry This `SKILL.md` is the **entrypoint** for the OWASP Infrastructure Top 10 skill. @@ -41,6 +41,17 @@ infrastructure security risks. * `00-vulnerability-index.md` — index of all vulnerability identifiers, categories, and cross-references. * `01` through `10` — one document per vulnerability aligned with OWASP Infrastructure Security numbering. +## Third-Party Attribution + +Copyright © OWASP Foundation. +OWASP® Top 10 Infrastructure Security Risks (2024) content is derived from works by the +OWASP Foundation, licensed under CC BY-SA 4.0 +(). +Source: +Modifications: Vulnerability descriptions restructured into agent-consumable reference +documents with added detection and remediation guidance. +OWASP® is a registered trademark of the OWASP Foundation. Use does not imply endorsement. + --- *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-infrastructure/references/00-vulnerability-index.md b/.github/skills/security/owasp-infrastructure/references/00-vulnerability-index.md index 35f400c51..c3240a09e 100644 --- a/.github/skills/security/owasp-infrastructure/references/00-vulnerability-index.md +++ b/.github/skills/security/owasp-infrastructure/references/00-vulnerability-index.md @@ -73,4 +73,9 @@ Each vulnerability document follows a consistent structure: --- +Content derived from works by the OWASP Foundation, licensed under CC BY-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-infrastructure/references/01-outdated-software.md b/.github/skills/security/owasp-infrastructure/references/01-outdated-software.md index fb05436ad..d1369ff35 100644 --- a/.github/skills/security/owasp-infrastructure/references/01-outdated-software.md +++ b/.github/skills/security/owasp-infrastructure/references/01-outdated-software.md @@ -83,4 +83,9 @@ plans, selling them to competitors. --- +Content derived from works by the OWASP Foundation, licensed under CC BY-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-infrastructure/references/02-insufficient-threat-detection.md b/.github/skills/security/owasp-infrastructure/references/02-insufficient-threat-detection.md index 9f7eb59eb..9fceb4201 100644 --- a/.github/skills/security/owasp-infrastructure/references/02-insufficient-threat-detection.md +++ b/.github/skills/security/owasp-infrastructure/references/02-insufficient-threat-detection.md @@ -92,4 +92,9 @@ The exfiltrated data and files are later sold to competitors. --- +Content derived from works by the OWASP Foundation, licensed under CC BY-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-infrastructure/references/03-insecure-configurations.md b/.github/skills/security/owasp-infrastructure/references/03-insecure-configurations.md index 83f8eb499..17f93ea6d 100644 --- a/.github/skills/security/owasp-infrastructure/references/03-insecure-configurations.md +++ b/.github/skills/security/owasp-infrastructure/references/03-insecure-configurations.md @@ -80,4 +80,9 @@ potentially endangering patient care. --- +Content derived from works by the OWASP Foundation, licensed under CC BY-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-infrastructure/references/04-insecure-resource-user-management.md b/.github/skills/security/owasp-infrastructure/references/04-insecure-resource-user-management.md index 1f96a70a2..10f377eb0 100644 --- a/.github/skills/security/owasp-infrastructure/references/04-insecure-resource-user-management.md +++ b/.github/skills/security/owasp-infrastructure/references/04-insecure-resource-user-management.md @@ -96,4 +96,9 @@ The weak password and lack of resource management enabled unauthorized access an --- +Content derived from works by the OWASP Foundation, licensed under CC BY-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-infrastructure/references/05-insecure-use-of-cryptography.md b/.github/skills/security/owasp-infrastructure/references/05-insecure-use-of-cryptography.md index 393441009..95aca36da 100644 --- a/.github/skills/security/owasp-infrastructure/references/05-insecure-use-of-cryptography.md +++ b/.github/skills/security/owasp-infrastructure/references/05-insecure-use-of-cryptography.md @@ -95,4 +95,9 @@ Customers unknowingly transfer money to the attacker. --- +Content derived from works by the OWASP Foundation, licensed under CC BY-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-infrastructure/references/06-insecure-network-access-management.md b/.github/skills/security/owasp-infrastructure/references/06-insecure-network-access-management.md index 096ba8452..98b6d37f5 100644 --- a/.github/skills/security/owasp-infrastructure/references/06-insecure-network-access-management.md +++ b/.github/skills/security/owasp-infrastructure/references/06-insecure-network-access-management.md @@ -94,4 +94,9 @@ pivot point into the internal network for additional attacks. --- +Content derived from works by the OWASP Foundation, licensed under CC BY-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-infrastructure/references/07-insecure-authentication-default-credentials.md b/.github/skills/security/owasp-infrastructure/references/07-insecure-authentication-default-credentials.md index d095a43c1..82f6607fb 100644 --- a/.github/skills/security/owasp-infrastructure/references/07-insecure-authentication-default-credentials.md +++ b/.github/skills/security/owasp-infrastructure/references/07-insecure-authentication-default-credentials.md @@ -79,4 +79,9 @@ login attempts, and promote password best practices among users. --- +Content derived from works by the OWASP Foundation, licensed under CC BY-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-infrastructure/references/08-information-leakage.md b/.github/skills/security/owasp-infrastructure/references/08-information-leakage.md index 39c925a52..52d3a518e 100644 --- a/.github/skills/security/owasp-infrastructure/references/08-information-leakage.md +++ b/.github/skills/security/owasp-infrastructure/references/08-information-leakage.md @@ -82,4 +82,9 @@ financial, legal, and reputational damage. --- +Content derived from works by the OWASP Foundation, licensed under CC BY-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-infrastructure/references/09-insecure-access-resources-management-components.md b/.github/skills/security/owasp-infrastructure/references/09-insecure-access-resources-management-components.md index aed81d620..9d0d31847 100644 --- a/.github/skills/security/owasp-infrastructure/references/09-insecure-access-resources-management-components.md +++ b/.github/skills/security/owasp-infrastructure/references/09-insecure-access-resources-management-components.md @@ -89,4 +89,9 @@ management traffic, and implement regular monitoring and logging of network devi --- +Content derived from works by the OWASP Foundation, licensed under CC BY-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-infrastructure/references/10-insufficient-asset-management-documentation.md b/.github/skills/security/owasp-infrastructure/references/10-insufficient-asset-management-documentation.md index 817c2bb20..aa120e4d0 100644 --- a/.github/skills/security/owasp-infrastructure/references/10-insufficient-asset-management-documentation.md +++ b/.github/skills/security/owasp-infrastructure/references/10-insufficient-asset-management-documentation.md @@ -91,4 +91,9 @@ Damaged systems are rebuilt without extended disruption. --- +Content derived from works by the OWASP Foundation, licensed under CC BY-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* From 294e7242896beca447e02037b291e1e51d708e4d Mon Sep 17 00:00:00 2001 From: Jason Date: Fri, 10 Apr 2026 14:42:23 +1000 Subject: [PATCH 2/5] docs(skill): add third-party attribution to `owasp-mcp` --- .github/skills/security/owasp-mcp/SKILL.md | 17 ++++++++++++++--- .../references/00-vulnerability-index.md | 5 +++++ .../01-token-mismanagement-secret-exposure.md | 5 +++++ .../02-privilege-escalation-scope-creep.md | 5 +++++ .../owasp-mcp/references/03-tool-poisoning.md | 5 +++++ ...supply-chain-attacks-dependency-tampering.md | 5 +++++ .../05-command-injection-execution.md | 5 +++++ .../06-prompt-injection-contextual-payloads.md | 5 +++++ ...insufficient-authentication-authorization.md | 5 +++++ .../references/08-lack-of-audit-telemetry.md | 5 +++++ .../references/09-shadow-mcp-servers.md | 5 +++++ .../10-context-injection-over-sharing.md | 5 +++++ 12 files changed, 69 insertions(+), 3 deletions(-) diff --git a/.github/skills/security/owasp-mcp/SKILL.md b/.github/skills/security/owasp-mcp/SKILL.md index 7439e82d5..57478315a 100644 --- a/.github/skills/security/owasp-mcp/SKILL.md +++ b/.github/skills/security/owasp-mcp/SKILL.md @@ -1,7 +1,7 @@ --- name: owasp-mcp -description: OWASP MCP Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in Model Context Protocol environments - Brought to you by microsoft/hve-core. -license: CC-BY-SA-4.0 +description: OWASP MCP Top 10 (2025) vulnerability knowledge base for identifying, assessing, and remediating security risks in Model Context Protocol environments - Brought to you by microsoft/hve-core. +license: CC-BY-NC-SA-4.0 user-invocable: false metadata: authors: "OWASP MCP Top 10 Project" @@ -12,7 +12,7 @@ metadata: content_based_on: "https://owasp.org/www-project-mcp-top-10/" --- -# OWASP MCP Top 10 — Skill Entry +# OWASP® MCP Top 10 — Skill Entry This `SKILL.md` is the **entrypoint** for the MCP Vulnerabilities skill. @@ -40,6 +40,17 @@ that an agent can query to identify, assess, and remediate MCP security risks. - `00-vulnerability-index.md` — index of all vulnerability identifiers, severities, and cross-references. - `01` through `10` — one document per vulnerability aligned with OWASP MCP numbering. +## Third-Party Attribution + +Copyright © OWASP Foundation. +OWASP® MCP Top 10 (2025) content is derived from works by the +OWASP Foundation, licensed under CC BY-NC-SA 4.0 +(). +Source: +Modifications: Vulnerability descriptions restructured into agent-consumable reference +documents with added detection and remediation guidance. +OWASP® is a registered trademark of the OWASP Foundation. Use does not imply endorsement. + --- *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-mcp/references/00-vulnerability-index.md b/.github/skills/security/owasp-mcp/references/00-vulnerability-index.md index cec3cc2f0..97ad84d42 100644 --- a/.github/skills/security/owasp-mcp/references/00-vulnerability-index.md +++ b/.github/skills/security/owasp-mcp/references/00-vulnerability-index.md @@ -70,5 +70,10 @@ Each vulnerability document follows a consistent structure: --- +Content derived from works by the OWASP Foundation, licensed under CC BY-NC-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-mcp/references/01-token-mismanagement-secret-exposure.md b/.github/skills/security/owasp-mcp/references/01-token-mismanagement-secret-exposure.md index 42a47c02b..44962a429 100644 --- a/.github/skills/security/owasp-mcp/references/01-token-mismanagement-secret-exposure.md +++ b/.github/skills/security/owasp-mcp/references/01-token-mismanagement-secret-exposure.md @@ -85,4 +85,9 @@ The model complies in a later unrelated session, leaking tokens. --- +Content derived from works by the OWASP Foundation, licensed under CC BY-NC-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-mcp/references/02-privilege-escalation-scope-creep.md b/.github/skills/security/owasp-mcp/references/02-privilege-escalation-scope-creep.md index 61fbdc079..af6e2ff29 100644 --- a/.github/skills/security/owasp-mcp/references/02-privilege-escalation-scope-creep.md +++ b/.github/skills/security/owasp-mcp/references/02-privilege-escalation-scope-creep.md @@ -84,4 +84,9 @@ include org:admin, enabling full takeover. --- +Content derived from works by the OWASP Foundation, licensed under CC BY-NC-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-mcp/references/03-tool-poisoning.md b/.github/skills/security/owasp-mcp/references/03-tool-poisoning.md index ec7b15575..46341226e 100644 --- a/.github/skills/security/owasp-mcp/references/03-tool-poisoning.md +++ b/.github/skills/security/owasp-mcp/references/03-tool-poisoning.md @@ -87,4 +87,9 @@ benign requests become destructive. --- +Content derived from works by the OWASP Foundation, licensed under CC BY-NC-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-mcp/references/04-supply-chain-attacks-dependency-tampering.md b/.github/skills/security/owasp-mcp/references/04-supply-chain-attacks-dependency-tampering.md index a89ad4755..7ef200c7b 100644 --- a/.github/skills/security/owasp-mcp/references/04-supply-chain-attacks-dependency-tampering.md +++ b/.github/skills/security/owasp-mcp/references/04-supply-chain-attacks-dependency-tampering.md @@ -93,4 +93,9 @@ methods that call destructive APIs. --- +Content derived from works by the OWASP Foundation, licensed under CC BY-NC-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-mcp/references/05-command-injection-execution.md b/.github/skills/security/owasp-mcp/references/05-command-injection-execution.md index 00d71fe73..29566b2ba 100644 --- a/.github/skills/security/owasp-mcp/references/05-command-injection-execution.md +++ b/.github/skills/security/owasp-mcp/references/05-command-injection-execution.md @@ -90,4 +90,9 @@ The agent constructs an unparameterized query and the injection destroys the dat --- +Content derived from works by the OWASP Foundation, licensed under CC BY-NC-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-mcp/references/06-prompt-injection-contextual-payloads.md b/.github/skills/security/owasp-mcp/references/06-prompt-injection-contextual-payloads.md index 3db2db542..e1078b806 100644 --- a/.github/skills/security/owasp-mcp/references/06-prompt-injection-contextual-payloads.md +++ b/.github/skills/security/owasp-mcp/references/06-prompt-injection-contextual-payloads.md @@ -79,4 +79,9 @@ When retrieved, it contains hidden instructions to reveal the system prompt or A --- +Content derived from works by the OWASP Foundation, licensed under CC BY-NC-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-mcp/references/07-insufficient-authentication-authorization.md b/.github/skills/security/owasp-mcp/references/07-insufficient-authentication-authorization.md index 47a83b972..65894dfcd 100644 --- a/.github/skills/security/owasp-mcp/references/07-insufficient-authentication-authorization.md +++ b/.github/skills/security/owasp-mcp/references/07-insufficient-authentication-authorization.md @@ -92,4 +92,9 @@ privileged functions intended only for admins. --- +Content derived from works by the OWASP Foundation, licensed under CC BY-NC-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-mcp/references/08-lack-of-audit-telemetry.md b/.github/skills/security/owasp-mcp/references/08-lack-of-audit-telemetry.md index 44322aa1b..b5e6efa9d 100644 --- a/.github/skills/security/owasp-mcp/references/08-lack-of-audit-telemetry.md +++ b/.github/skills/security/owasp-mcp/references/08-lack-of-audit-telemetry.md @@ -91,4 +91,9 @@ Without telemetry and baselines, changes go unnoticed until a manual audit month --- +Content derived from works by the OWASP Foundation, licensed under CC BY-NC-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-mcp/references/09-shadow-mcp-servers.md b/.github/skills/security/owasp-mcp/references/09-shadow-mcp-servers.md index 005170b71..6c2b56b9b 100644 --- a/.github/skills/security/owasp-mcp/references/09-shadow-mcp-servers.md +++ b/.github/skills/security/owasp-mcp/references/09-shadow-mcp-servers.md @@ -91,4 +91,9 @@ Manipulated entries propagate into model retraining pipelines, corrupting produc --- +Content derived from works by the OWASP Foundation, licensed under CC BY-NC-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* diff --git a/.github/skills/security/owasp-mcp/references/10-context-injection-over-sharing.md b/.github/skills/security/owasp-mcp/references/10-context-injection-over-sharing.md index 27ff9b497..04e49c573 100644 --- a/.github/skills/security/owasp-mcp/references/10-context-injection-over-sharing.md +++ b/.github/skills/security/owasp-mcp/references/10-context-injection-over-sharing.md @@ -83,4 +83,9 @@ Tenant A's internal documents appear in Tenant B's retrieval outputs. --- +Content derived from works by the OWASP Foundation, licensed under CC BY-NC-SA 4.0 +(). +Modifications: Restructured into agent-consumable reference format with added +detection and remediation guidance. + *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* From 277ee53ac10403f6e32527220de84830fb8b732f Mon Sep 17 00:00:00 2001 From: Jason Date: Fri, 10 Apr 2026 14:44:18 +1000 Subject: [PATCH 3/5] docs(notices): update `THIRD-PARTY-NOTICES` to include `owasp-infrastructure` --- THIRD-PARTY-NOTICES | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/THIRD-PARTY-NOTICES b/THIRD-PARTY-NOTICES index 353053219..e71992e36 100644 --- a/THIRD-PARTY-NOTICES +++ b/THIRD-PARTY-NOTICES @@ -6,10 +6,11 @@ individual files. --- -OWASP Top 10 (2025), OWASP Top 10 for LLM Applications (2025), and OWASP Top 10 for Agentic Applications (2026) +OWASP Top 10 Infrastructure Security Risks (2024), OWASP Top 10 (2025), OWASP Top 10 for LLM Applications (2025), and OWASP Top 10 for Agentic Applications (2026) Copyright: © OWASP Foundation License: Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) License URI: https://creativecommons.org/licenses/by-sa/4.0/ +Source: https://owasp.org/www-project-top-10-infrastructure-security-risks/ Source: https://owasp.org/Top10/2025/ Source: https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/ Source: https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/ From 0e24c75fc405eaac55faf321e4b93b34bf846119 Mon Sep 17 00:00:00 2001 From: Jason Date: Fri, 10 Apr 2026 14:45:20 +1000 Subject: [PATCH 4/5] docs(notices): update `THIRD-PARTY-NOTICES` to include `CC BY-NC-SA 4.0` --- THIRD-PARTY-NOTICES | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/THIRD-PARTY-NOTICES b/THIRD-PARTY-NOTICES index e71992e36..c13c20808 100644 --- a/THIRD-PARTY-NOTICES +++ b/THIRD-PARTY-NOTICES @@ -21,6 +21,18 @@ OWASP® is a registered trademark of the OWASP Foundation. --- +OWASP MCP Top 10 (2025) +Copyright: © OWASP Foundation +License: Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) +License URI: https://creativecommons.org/licenses/by-nc-sa/4.0/ +Source: https://owasp.org/www-project-mcp-top-10/ +Usage: Category names, IDs, and condensed descriptions in security instruction files. +Vulnerability reference documents in skill files restructured into agent-consumable +format with added detection and remediation guidance. +OWASP® is a registered trademark of the OWASP Foundation. + +--- + NIST SP 800-53 Rev. 5 and NIST AI RMF 1.0 License: Public Domain (17 U.S.C. § 105 — U.S. Government Work) Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final @@ -83,3 +95,4 @@ Usage: Minimum element names referenced in supply chain security instruction fil OpenSSF® is a registered trademark of the Linux Foundation. OWASP® is a registered trademark of the OWASP Foundation. + From 408f1ab966bcf160edd6bb1dee12c791a231a74f Mon Sep 17 00:00:00 2001 From: Jason Date: Fri, 10 Apr 2026 14:46:08 +1000 Subject: [PATCH 5/5] docs(readme): add reference to owasp skills containing `CC BY-NC-SA 4.0` license --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bc0301f0a..8975a2ee5 100644 --- a/README.md +++ b/README.md @@ -105,8 +105,9 @@ This project is licensed under the [MIT License](./LICENSE). ### Licensing Most content in this repository is covered by the MIT License. Certain skill content -derived from OWASP Foundation publications is licensed under -[CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/). Each affected +derived from OWASP Foundation publications is licensed under either +[CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/) or +[CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Each affected skill identifies its license in frontmatter and includes a Third-Party Attribution section. See [THIRD-PARTY-NOTICES](./THIRD-PARTY-NOTICES) for full details.