Add Creative Security Scanning to Compliance & Governance Protocol

[pgreenemajor]

Status: Proposed Addition
Applies to: Compliance & Governance Protocol v0.2, Section 6.4 (Creative Compliance), Section 10.3 (Creative Compliance Tasks)

1. Motivation

1.1 The Gap in Creative Compliance
Section 6.4 defines creative compliance as regulatory requirement validation, brand guideline enforcement, content appropriateness assessment, and human approval workflow integration. The Creative Protocol handles technical validation — file formats, sizes, rendering, load times.

Neither protocol assesses whether a creative is hostile. A creative can pass every technical spec, every regulatory check, every brand guideline, and still contain obfuscated JavaScript that redirects users to a phishing domain after a 3-second delay. This is not a compliance failure — it is a security threat. It requires different detection methods (sandboxed execution, behavioral analysis, network traffic inspection) and produces a categorically different signal (binary threat status, not scored compliance).

1.2 Why This Belongs on CreativeComplianceReport
CreativeComplianceReport is keyed on creative_id and contains all assessment and approval intelligence for that creative. Security assessment is a natural peer to findings, approvals, and remediation_steps — scoped to that creative.

1.3 Threat Actor & Competitive Intelligence Design Principles
Malvertising is an adversarial domain. Unlike compliance scoring — where publishers generally want to improve and transparency drives that — creative security scanning operates against actors who actively probe detection boundaries. Every piece of information in the protocol wire format, agent card, or webhook payload is potentially readable by the entity that submitted the creative. This creates two classes of information hazard:

Threat Actor Exposure: Any signal that helps an attacker understand what was detected, how it was detected, what environments were tested, or how close they came to evading detection accelerates evasion iteration. Malware operators routinely submit creatives to multiple scanners to fingerprint detection capabilities.

Competitive Intelligence Leakage: Security vendors differentiate on detection methodology, environmental coverage, behavioral analysis depth, and evasion-resistance. The protocol must not force vendors to publish capability inventories that competitors can read to benchmark against or that attackers can read to identify coverage gaps.

Design principles applied throughout this proposal:

1. Opaque results by default. The wire format carries the minimum needed for automated orchestrator decisions (status, severity). Detailed threat intelligence is behind authenticated, access-controlled URLs that the vendor controls.
2. No detection methodology on the wire. The protocol never transmits what scanning techniques were used, what environments were tested, what heuristics triggered, or what behavioral signatures matched.
3. No confidence scores on the wire. Binary status (CLEAN/THREAT/SUSPICIOUS) is sufficient for orchestrator routing.
   4**. Agent cards declare what tasks they support, not how they perform them.**
   5**. Scan context is omitted from results.** Scan breadth is a vendor differentiator, not a protocol field.
4. Threat categories use a minimal shared vocabulary. Detailed classification is vendor-proprietary, behind the detail URL.7.

1.4 Scope
This proposal adds:

1. A CreativeSecurityAssessment data model on CreativeComplianceReport
2. A scan_creative_security protocol task (async, webhook-based)
3. Authentication patterns for scanner API keys
4. Integration with the existing creative approval workflow (Section 11.3)
5. Security-specific caching, error handling, and performance guidance

This proposal does not:

• Assess publisher properties or their supply chains
• Modify ComplianceProfile in any way
• Replace or modify existing compliance scoring or creative validation
• Prescribe scanning methodology (vendor-agnostic per spec philosophy)

2. Authentication

The security scanning agent authenticates orchestrator requests using API keys in the MCP/A2A transport layer, following the existing x-adcp-auth pattern.

MCP Transport:

{
  "mcpServers": {
    "creative-security-scanner": {
      "command": "uvx",
      "args": [
        "mcp-remote",
        "https://scanner.securityvendor.com/mcp/",
        "--header", "x-adcp-auth: SCANNER_API_KEY"
      ]
    }
  }
}

A2A Transport:

POST https://scanner.securityvendor.com/a2a/
Authorization: Bearer SCANNER_API_KEY
Content-Type: application/json

• Security vendor provisions API keys to orchestrators out-of-band (consistent with existing AdCP agent onboarding)
• API key determines: rate limits, principal authorization, pricing tier
• Key rotation follows vendor's key management policy

Principal-Scoped Keys:

Security vendors MAY issue principal-scoped keys. When present, the principal parameter in task requests is validated against the key's authorized principals:

{
  "task": "scan_creative_security",
  "parameters": {
    "principal": "did:principal:brand-x",
    ...
  }
}
// Scanner validates: SCANNER_API_KEY is authorized for brand-x

3. Data Model

3.1 CreativeSecurityAssessment
Structured threat intelligence for a creative asset, produced by backend scanning. Appears on CreativeComplianceReport as the security field.

Schema: /schemas/v2.0/compliance/creative-security-assessment.json

{
  "schema_version": "v2.0",
  "threat_status": "CLEAN",
  "scan_timestamp": "2025-12-20T15:30:00Z",
  "valid_until": "2025-12-20T21:30:00Z",
  "scan_agent": "security-vendor-a.com",

  "threats": [
    {
      "threat_id": "THR-2025-00198",
      "asset_url": "https://cdn.agency.com/creative/abc123.html",
      "category": "auto_redirect",
      "severity": "CRITICAL",
      "detail_url": "https://scanner.securityvendor.com/threats/THR-2025-00198"
    }
  ],

  "resource_concern": false,

  "detail_url": "https://scanner.securityvendor.com/assessments/ctx_csec_def456",

  "signature": {
    "algorithm": "ECDSA-SHA256",
    "value": "base64-encoded-signature"
  }
}

threat_status values:

Value	Meaning
CLEAN	No threats detected.
THREAT	Active threat detected. Creative must be rejected.
SUSPICIOUS	Anomalous behavior detected but not conclusively hostile. Requires review.
SCAN_FAILED	Scan could not complete. Orchestrator SHOULD retry once, then REJECT if scan fails again.

threats array: Present when threat_status is THREAT or SUSPICIOUS. Each threat object carries only what orchestrators need for automated routing: the affected asset URL, a category, and a severity. All detailed intelligence is available via the authenticated detail_url, where the vendor controls disclosure depth.

resource_concern: Boolean flag indicating the creative exhibits elevated resource consumption (e.g., cryptocurrency mining). Details are behind the assessment-level detail_url.

detail_url: Authenticated link to the vendor's full assessment report. The vendor controls what information is disclosed and at what level of detail.

Threat Category Enumeration
Minimal categories for orchestrator routing aligned with industry-standard malvertising taxonomies. Categories map to what the threat does to the user/publisher, not how it was detected.

Security agents MAY extend with vendor-specific categories using vendor_prefix:custom_category namespacing.

Category ID	Description
scam_ad	Social engineering or deception to misrepresent products, services, or businesses; includes retail scams, service fraud, and financial schemes
credential_harvest	Phishing techniques to gather user credentials or PII by mimicking trusted entities; includes fake anti-virus and gift card scams
auto_redirect	Unauthorized navigation away from publisher context without user interaction; includes forced redirects and click-jacking
compromised_landing	Landing page unknowingly compromised by third parties outside the ad supply chain; includes credit card skimming, injected ads, and credential theft
compromised_asset	Ad creative or ad server unknowingly compromised by third parties, resulting in unexpected malicious behavior; includes supply chain attacks
cloaking_ad	Ad creative masks or misrepresents content to evade detection; includes steganography and payload smuggling
cloaking_landing	Landing page masks or misrepresents content; benign to auditors but malicious to targeted users
drive_by_software	Unintentional download of executable malware (.exe, .apk, .dmg) without user consent; includes browser hijackers
drive_by_file	Unintentional download of non-executable files without user consent; includes cookie stuffing
fake_landing	Fake landing page created for malicious purposes; includes typosquatting and fake software updates
exploit_kit	Toolkit exploiting browser or plugin vulnerabilities to deliver malware payloads
malware_other	Other malicious activity including ransomware, trojans, and cryptocurrency mining

3.2 CreativeComplianceReport Extension
Add security as a top-level field alongside existing findings, approvals, etc.

{
  "schema_version": "v2.0",
  "creative_id": "creative-12345",
  "context_id": "ctx_abc123",
  "principal": "did:principal:brand-x",
  "assessed_at": "2025-12-20T15:30:00Z",

  "status": "APPROVED",
  "score": 92,
  "findings": [ ... ],
  "remediation_steps": [ ... ],
  "approvals": [ ... ],

  "security": {
    "threat_status": "CLEAN",
    "scan_timestamp": "2025-12-20T15:30:00Z",
    "valid_until": "2025-12-20T21:30:00Z",
    "scan_agent": "security-vendor-a.com",
    "threats": [],
    "resource_concern": false,
    "detail_url": "https://scanner.securityvendor.com/assessments/ctx_csec_def456",
    "signature": { ... }
  }
}

Enforcement rules:

security.threat_status	Outcome
THREAT	REJECT — hard gate, no override.
SUSPICIOUS	Orchestrator decides per principal policy.
CLEAN	APPROVE (subject to compliance score).
SCAN_FAILED	Orchestrator SHOULD retry once, then REJECT if scan fails again.

4. Protocol Task

4.1 scan_creative_security
Async creative security scan. This task is always asynchronous — there is no synchronous response mode. Results are delivered exclusively via webhook. This task is the security counterpart to validate_creative (regulatory/brand compliance).

Task	Question Answered
validate_creative (existing)	Does this creative comply with regulations and brand guidelines?
scan_creative_security (new)	Is this creative hostile?

Request Schema: /schemas/v2.0/compliance/scan-creative-security-request.json
Response Schema: /schemas/v2.0/compliance/scan-creative-security-response.json

Parameters:

Parameter	Type	Required	Description
principal	String	Yes	Requesting principal identity
creative_manifest	Object	Yes	Creative manifest from Creative Protocol
scan_priority	String	No	normal (default) or expedited (vendor may charge premium)
webhook_url	String	Yes	Webhook for async result delivery

scan_priority controls urgency, not methodology. Priority affects SLA, not detection quality.

Request:

{
  "task": "scan_creative_security",
  "schema_version": "v2.0",
  "parameters": {
    "principal": "did:principal:brand-x",
    "creative_manifest": {
      "format_id": {
        "agent_url": "https://creative.adcontextprotocol.org",
        "id": "html5-display-300x250"
      },
      "asset_urls": ["https://cdn.agency.com/creative/abc123.html"],
      "metadata": {
        "advertiser": "Brand-X",
        "dimensions": "300x250"
      }
    },
    "scan_priority": "normal",
    "webhook_url": "https://orchestrator.example.com/webhooks/creative-security"
  }
}

Acknowledgement:

{
  "context_id": "ctx_csec_def456",
  "status": "SCANNING"
}

Webhook Result — Clean Creative:

{
  "task": "scan_creative_security",
  "context_id": "ctx_csec_def456",
  "status": "completed",
  "result": {
    "creative_id": "abc123",
    "security": {
      "threat_status": "CLEAN",
      "scan_timestamp": "2025-12-20T15:31:22Z",
      "valid_until": "2025-12-20T21:31:22Z",
      "scan_agent": "security-vendor-a.com",
      "threats": [],
      "resource_concern": false,
      "detail_url": "https://scanner.securityvendor.com/assessments/ctx_csec_def456",
      "signature": { ... }
    }
  },
  "timestamp": "2025-12-20T15:31:25Z",
  "signature": { ... }
}

Webhook Result — Hostile Creative:

{
  "task": "scan_creative_security",
  "context_id": "ctx_csec_ghi789",
  "status": "completed",
  "result": {
    "creative_id": "xyz789",
    "security": {
      "threat_status": "THREAT",
      "scan_timestamp": "2025-12-20T15:45:10Z",
      "valid_until": "2025-12-20T21:45:10Z",
      "scan_agent": "security-vendor-a.com",
      "threats": [
        {
          "threat_id": "THR-2025-00198",
          "asset_url": "https://cdn.agency.com/creative/xyz789.html",
          "category": "auto_redirect",
          "severity": "CRITICAL",
          "detail_url": "https://scanner.securityvendor.com/threats/THR-2025-00198"
        },
        {
          "threat_id": "THR-2025-00199",
          "asset_url": "https://cdn.agency.com/creative/xyz789.html",
          "category": "credential_harvest",
          "severity": "HIGH",
          "detail_url": "https://scanner.securityvendor.com/threats/THR-2025-00199"
        }
      ],
      "resource_concern": true,
      "detail_url": "https://scanner.securityvendor.com/assessments/ctx_csec_ghi789",
      "signature": { ... }
    }
  },
  "timestamp": "2025-12-20T15:45:12Z",
  "signature": { ... }
}

5. Creative Approval Workflow Integration

5.1 Extended Workflow (Modifies Section 11.3)
Security scanning runs in parallel with compliance validation but has veto power.

Creative Submitted
    │
    ├──→ Creative Protocol: technical validation (existing)
    │
    ├──→ scan_creative_security (NEW, async via webhook)
    │       Input: creative_manifest
    │       Output: CreativeSecurityAssessment
    │
    └──→ validate_creative (existing)
              Input: creative_manifest, regulatory_requirements, brand_manifest
              Output: CreativeComplianceReport

    Orchestrator collects all results:
    │
    ├── Security THREAT?
    │      → REJECT — hard gate, overrides compliance score
    │
    ├── Security CLEAN + Compliance ≥ auto_approve_threshold?
    │      → APPROVE
    │
    ├── Security CLEAN + Compliance 70-89?
    │      → REQUIRES_REVIEW
    │
    ├── Security SUSPICIOUS + any compliance score?
    │      → REQUIRES_REVIEW — human sees security concerns
    │
    └── Compliance < 70?
           → REJECT with compliance remediation steps
           → Security results recorded for audit trail

5.2 Escalation for Suspicious Creatives
When security.threat_status is SUSPICIOUS, the existing request_human_review task carries routing-level context. Detailed intelligence is behind the detail_url:

{
  "task": "request_human_review",
  "parameters": {
    "principal": "did:principal:brand-x",
    "creative_id": "abc123",
    "context_id": "ctx_csec_def456",
    "escalation_reason": "security_suspicious",
    "agent_assessment": {
      "security_detail_url": "https://scanner.securityvendor.com/assessments/ctx_csec_def456",
      "threat_status": "SUSPICIOUS",
      "threat_count": 1,
      "highest_severity": "MEDIUM",
      "compliance_score": 91,
      "compliance_status": "APPROVED"
    },
    "recommended_action": "APPROVE"
  }
}

6. Caching

6.1 Scan TTL
Creative security assessments have shorter TTLs than compliance scores because:

• Creatives served from CDN may be updated at source without the creative_id changing
• Third-party JS tags loaded by the creative may change behavior server-side
• Malware operators rotate payloads on short cycles

Recommended valid_until TTL: 4-8 hours. Vendors MAY adjust based on risk profile.

6.2 Re-Scan Triggers
Orchestrators SHOULD re-scan when:

• security.valid_until has expired
• Creative asset URLs have changed (even if creative_id is unchanged)

6.3 Status Change Webhooks
Security agents MAY proactively notify orchestrators when a previously-scanned creative's status changes:

{
  "event": "creative_security_status_changed",
  "creative_id": "abc123",
  "previous_status": "CLEAN",
  "new_status": "THREAT",
  "threat_count": 1,
  "highest_severity": "CRITICAL",
  "detail_url": "https://scanner.securityvendor.com/assessments/ctx_csec_rescan_456",
  "timestamp": "2025-12-21T09:16:00Z",
  "recommended_action": "REJECT",
  "signature": { ... }
}

Orchestrators receiving this webhook SHOULD:

1. Immediately pause the creative across active campaigns
2. Notify principal
3. Log for audit

Uses the existing webhook mechanism (Section 5.7) with a creative-security-specific event type.

7. Security Agent Card

Security scanning agents declare capabilities via .well-known/agent-card.json, extending the schema from Appendix B.

The agent card declares that the agent provides creative security scanning. Detection methodology, environmental coverage, and scanning techniques are vendor-proprietary.

{
  "schema_version": "v2.0",
  "name": "Example Creative Security Scanner",
  "description": "Creative malware detection",
  "url": "https://security.securityvendor.com",
  "mcp_endpoint": "https://security.securityvendor.com/mcp/",
  "a2a_endpoint": "https://security.securityvendor.com/a2a/",
  "contact": {
    "email": "support@securityvendor.com",
    "security_email": "security@securityvendor.com"
  },
  "capabilities": {
    "tasks": ["scan_creative_security"],
    "protocols": ["MCP", "A2A"],
    "schema_version": "v2.0",
    "webhook_support": true,
    "signature_algorithms": ["ECDSA-SHA256"]
  },
  "authentication": {
    "scanner_auth": {
      "method": "api_key",
      "header": "x-adcp-auth",
      "principal_scoped_keys": true,
      "key_provisioning_url": "https://securityvendor.com/dashboard/keys"
    },
    "public_keys": [
      {
        "key_id": "key-2025-01",
        "algorithm": "ECDSA-SHA256",
        "public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----",
        "valid_from": "2025-01-01T00:00:00Z",
        "valid_until": "2026-01-01T00:00:00Z"
      }
    ]
  }
}

8. Performance Requirements

Extends Section 14.1:

Operation	Target	Notes
scan_creative_security acknowledgement	<200ms p95	Immediate SCANNING response
scan_creative_security completion	Async, vendor-determined	Vendors compete on speed
Webhook delivery	<5s from scan completion	Results and status change notifications

9. Error Handling

Extends Section 17.1:

Code	Description	Retry?
SCAN_IN_PROGRESS	A scan for this creative is already running. Returns existing context_id.	No — wait for webhook
CREATIVE_INACCESSIBLE	Creative asset URL(s) could not be retrieved.	Yes, after verifying CDN access
SCAN_TIMEOUT	Scan exceeded maximum duration.	Yes
RATE_LIMIT_EXCEEDED	Too many scan requests.	Yes, after backoff period

Error Response Example:

{
  "error": {
    "code": "CREATIVE_INACCESSIBLE",
    "message": "Could not retrieve creative assets for scanning",
    "details": {
      "suggestion": "Ensure creative CDN allows access from scanner IP ranges. See vendor documentation."
    }
  },
  "context_id": "ctx_csec_err789"
}

Rate Limit Error Example:

{
  "error": {
    "code": "RATE_LIMIT_EXCEEDED",
    "message": "Too many scan requests",
    "retry_after": 60
  }
}

10. Changes Summary

New Schemas

Schema	Path
CreativeSecurityAssessment	/schemas/v2.0/compliance/creative-security-assessment.json
scan-creative-security-request	/schemas/v2.0/compliance/scan-creative-security-request.json
scan-creative-security-response	/schemas/v2.0/compliance/scan-creative-security-response.json

Modified Schemas

Schema	Change
creative-compliance-report.json	Add optional security (CreativeSecurityAssessment) top-level field

Modified Spec Sections

Section	Change
5.7 Webhook Support	Add creative_security_status_changed event type
6.4 Creative Compliance	Add security assessment to core capabilities
8.4 CreativeComplianceReport	Add security field documentation
10.3 Creative Compliance Tasks	Add scan_creative_security task
11.3 Creative Compliance Workflow	Extend with parallel security scan and hard gate logic
14.1 Performance Requirements	Add creative security scan latency targets
17.1 Error Codes	Add creative security error codes
Appendix B Agent Card	Add security agent example

No Changes To

Item	Reason
ComplianceProfile	Scoped to creative-level only
Property declaration/discovery	Out of scope
Pre-bid filtering workflow	Out of scope
Media buy validation	Out of scope
Scoring framework	Security uses binary status, not scored assessment
Four-concept framework	Maps to existing Validation (Concept #4) for creatives

11. Design Decisions

1. Threat category governance. Working group maintains the base enumeration. Vendors MAY extend with vendor_prefix:custom_category namespacing.
2. Creative re-scanning policy. Left to orchestrator/principal policy. The protocol does not define minimum re-scan intervals.
3. Scan result portability. Results are scoped to the requesting principal. Cross-principal sharing is out of scope.
4. detail_url access control. Left to vendor implementation.
5. Threat actor probe detection. Not supported. Risk of false positives on legitimate iterative creative development outweighs benefit.
6. Multi-asset creatives. One scan per creative. Each asset_url in a creative_manifest represents an HTML creative; threats detected within that creative (including from JS tags it loads) are attributed to that asset URL.

[bokelley]

We've been thinking about this and landed on a simpler approach that handles creative security scanning (and creative quality, content categorization, and any other creative evaluation) through a single general-purpose task.

get_creative_features — the creative analog of get_property_features

PR: #1049

The core insight: a creative security scanner is a governance agent that evaluates creatives — the same pattern as property governance agents that evaluate properties. The threat categories (auto_redirect, credential_harvest, cloaking) are features — binary signals the agent evaluates. No new protocol machinery needed.

How it works

1. Agent declares features via get_adcp_capabilities:

{
  "governance": {
    "creative_features": [
      {
        "feature_id": "auto_redirect",
        "type": "binary",
        "description": "Unauthorized navigation away from publisher context without user interaction",
        "methodology_url": "https://scanner.example.com/methodology"
      },
      {
        "feature_id": "credential_harvest",
        "type": "binary",
        "description": "Phishing techniques to gather user credentials or PII"
      },
      {
        "feature_id": "cloaking",
        "type": "binary",
        "description": "Creative masks or misrepresents content to evade detection"
      }
    ]
  }
}

2. Orchestrator calls get_creative_features with a creative manifest:

{
  "creative_manifest": {
    "format_id": {
      "agent_url": "https://creative.adcontextprotocol.org",
      "id": "html5-display-300x250"
    },
    "assets": {
      "creative_html": {
        "url": "https://cdn.agency.com/creative/abc123.html"
      }
    }
  },
  "feature_ids": ["auto_redirect", "credential_harvest", "cloaking"]
}

3. Agent returns feature values:

{
  "results": [
    { "feature_id": "auto_redirect", "value": true, "confidence": 0.97 },
    { "feature_id": "credential_harvest", "value": false },
    { "feature_id": "cloaking", "value": false }
  ],
  "detail_url": "https://scanner.example.com/reports/ctx_abc123"
}

4. Orchestrator applies requirements (reject if any security feature is true).

How this maps to the original proposal

Original concern	How existing patterns handle it
Opaque results	Feature values are pass/fail on wire. Details behind detail_url. Same as property governance.
No detection methodology on wire	methodology_url in feature definition, not in results.
Threat categories	Vendor-declared feature IDs. No fixed taxonomy — vendors compete on coverage.
Async scanning	Standard async task pattern (status: "working" → webhook). No custom SCANNING status.
Scan caching/TTL	expires_at on feature values (existing schema field).
Status change notifications	Standard webhook patterns.
Agent cards	Standard A2A/MCP discovery. No custom agent card schema.

What we don't need

Everything in the original proposal that duplicates existing protocol patterns:

• Custom CreativeSecurityAssessment data model → feature value results
• Custom CLEAN/THREAT/SUSPICIOUS/SCAN_FAILED status enum → boolean features + orchestrator-side requirements
• Custom agent card schema → standard A2A/MCP discovery
• Custom authentication/webhook patterns → existing transport auth and async webhooks
• Fixed threat category taxonomy → vendor-declared features
• signature fields on responses → transport-level integrity

Why general-purpose?

Security scanning is just one type of creative evaluation. The same task handles creative quality (CreativeX-style brand consistency scores), content categorization (#1036), accessibility checks, and anything else a vendor might evaluate. Different agents declare different features, same task, same response shape.