THIRD-PARTY-NOTICES

This file contains third-party attribution notices for content embedded in hve-core
instruction and skill files. These notices supplement inline attribution blocks within
individual files.

---

OWASP Top 10 (2025), OWASP Top 10 for LLM Applications (2025), and OWASP Top 10 for Agentic Applications (2026)
Copyright: © OWASP Foundation
License: Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)
License URI: https://creativecommons.org/licenses/by-sa/4.0/
Source: https://owasp.org/Top10/2025/
Source: https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/
Source: https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/
Usage: Category names, IDs, and condensed descriptions in security instruction files.
Vulnerability reference documents in skill files restructured into agent-consumable
format with added detection and remediation guidance.
OWASP® is a registered trademark of the OWASP Foundation.

---

NIST SP 800-53 Rev. 5 and NIST AI RMF 1.0
License: Public Domain (17 U.S.C. § 105 — U.S. Government Work)
Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Source: https://www.nist.gov/artificial-intelligence/ai-risk-management-framework
Usage: Control family names, IDs, and condensed descriptions embedded in security
instruction files.

---

OpenSSF Scorecard
License: Apache License 2.0
Source: https://github.com/ossf/scorecard
Usage: Check names, risk levels, and score ranges embedded in supply chain security
instruction files.

---

SLSA (Supply-chain Levels for Software Artifacts)
License: Community Specification License 1.0
Source: https://slsa.dev/spec/
Usage: Build track level definitions embedded in supply chain security instruction files.

---

OpenSSF Best Practices Badge (CII Best Practices)
License: MIT License (criteria), Creative Commons Attribution 3.0+ (documentation)
Source: https://www.bestpractices.dev/
Usage: Badge tier names and requirement summaries embedded in supply chain security
instruction files.

---

Sigstore
License: Apache License 2.0
Source: https://www.sigstore.dev/
Usage: Component maturity levels embedded in supply chain security instruction files.

---

SPDX (Software Package Data Exchange)
License: Community Specification License 1.0
Source: https://spdx.dev/
Usage: Format comparison data embedded in supply chain security instruction files.

---

CycloneDX
License: Apache License 2.0
Source: https://cyclonedx.org/
Usage: Format comparison data embedded in supply chain security instruction files.

---

NTIA Minimum Elements for Software Bill of Materials
License: Public Domain (17 U.S.C. § 105 — U.S. Government Work)
Source: https://www.ntia.gov/page/software-bill-materials
Usage: Minimum element names referenced in supply chain security instruction files.

---

OpenSSF® is a registered trademark of the Linux Foundation.
OWASP® is a registered trademark of the OWASP Foundation.
