Please report security issues confidentially using GitHub's form. Alternatively, you can send an encrypted email to jcappos@nyu.edu using the following PGP key:

E9C0 59EC 0D32 64FA B35F 94AD 465B F9F6 F8EB 475A

Note: Please do not report such issues publicly on the issue tracker. The *issue tracker is intended for bug reports and feature requests.

A gittuf maintainer will respond to the report as soon as possible. After the report is triaged and the vulnerability is confirmed, a fix will be prepared under embargo. Once the fix is accepted, a new release will be prepared along with a report detailing the vulnerability. This report will identify the reporter unless they request to be kept anonymous. Finally, a CVE may be requested if appropriate for the vulnerability report.