We aim to address security issues in the following areas when they are part of an active release line:

Exact version support follows tagged releases when present; otherwise, treat main as the integration branch.

Please do not report security vulnerabilities through public GitHub issues.

Instead, report them privately:

1. Prefer opening a private security advisory for this repository (Security tab → Report a vulnerability), when that feature is enabled for the org or repository.
2. If advisories are not available, contact the maintainers through a private channel listed in the repository or organization profile (do not file a public issue for undisclosed vulnerabilities).

Include:

• Description of the issue and potential impact
• Steps to reproduce (proof-of-concept if safe to share)
• Affected components or paths (e.g. marketplace/handlers/...)

We will acknowledge receipt as soon as practical and coordinate a fix and disclosure timeline.

• Dependency updates: Dependabot (.github/dependabot.yml)
• Go vulnerability scanning: govulncheck in CI
• Supply chain: SBOM artifacts for marketplace (see marketplace/sbom/ and .github/workflows/marketplace.yml on main / tags)
• Release hygiene: RELEASING.md (branch protection, required checks)