THIRD-PARTY-NOTICES This file contains third-party attribution notices for content embedded in hve-core instruction and skill files. These notices supplement inline attribution blocks within individual files. --- OWASP Top 10 (2025), OWASP Top 10 for LLM Applications (2025), and OWASP Top 10 for Agentic Applications (2026) Copyright: © OWASP Foundation License: Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) License URI: https://creativecommons.org/licenses/by-sa/4.0/ Source: https://owasp.org/Top10/2025/ Source: https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/ Source: https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/ Usage: Category names, IDs, and condensed descriptions in security instruction files. Vulnerability reference documents in skill files restructured into agent-consumable format with added detection and remediation guidance. OWASP® is a registered trademark of the OWASP Foundation. --- NIST SP 800-53 Rev. 5 and NIST AI RMF 1.0 License: Public Domain (17 U.S.C. § 105 — U.S. Government Work) Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final Source: https://www.nist.gov/artificial-intelligence/ai-risk-management-framework Usage: Control family names, IDs, and condensed descriptions embedded in security instruction files. --- OpenSSF Scorecard License: Apache License 2.0 Source: https://github.com/ossf/scorecard Usage: Check names, risk levels, and score ranges embedded in supply chain security instruction files. --- SLSA (Supply-chain Levels for Software Artifacts) License: Community Specification License 1.0 Source: https://slsa.dev/spec/ Usage: Build track level definitions embedded in supply chain security instruction files. --- OpenSSF Best Practices Badge (CII Best Practices) License: MIT License (criteria), Creative Commons Attribution 3.0+ (documentation) Source: https://www.bestpractices.dev/ Usage: Badge tier names and requirement summaries embedded in supply chain security instruction files. --- Sigstore License: Apache License 2.0 Source: https://www.sigstore.dev/ Usage: Component maturity levels embedded in supply chain security instruction files. --- SPDX (Software Package Data Exchange) License: Community Specification License 1.0 Source: https://spdx.dev/ Usage: Format comparison data embedded in supply chain security instruction files. --- CycloneDX License: Apache License 2.0 Source: https://cyclonedx.org/ Usage: Format comparison data embedded in supply chain security instruction files. --- NTIA Minimum Elements for Software Bill of Materials License: Public Domain (17 U.S.C. § 105 — U.S. Government Work) Source: https://www.ntia.gov/page/software-bill-materials Usage: Minimum element names referenced in supply chain security instruction files. --- OpenSSF® is a registered trademark of the Linux Foundation. OWASP® is a registered trademark of the OWASP Foundation.