If you believe you have found a security vulnerability, please do not open a public issue.
Preferred: use GitHub Security Advisories for private disclosure. Alternative: open a minimal issue that indicates you have a security report and request a private channel.
This repo includes ingest and provenance tooling plus vendored third-party sources. Vulnerabilities may arise in:
- ingestion tooling
- parsers/validators
- CI workflows
- impact and affected paths
- minimal reproduction steps
- suggested remediation (if available)