Please report security issues confidentially using
GitHub's form.
Alternatively, you can send an encrypted email to jcappos@nyu.edu
using the
following PGP key:
E9C0 59EC 0D32 64FA B35F 94AD 465B F9F6 F8EB 475A
Note: Please do not report such issues publicly on the issue tracker. The *issue tracker is intended for bug reports and feature requests.
A gittuf maintainer will respond to the report as soon as possible. After the report is triaged and the vulnerability is confirmed, a fix will be prepared under embargo. Once the fix is accepted, a new release will be prepared along with a report detailing the vulnerability. This report will identify the reporter unless they request to be kept anonymous. Finally, a CVE may be requested if appropriate for the vulnerability report.