APP is a specification repository, not a hosted service. Security reports are still useful when they affect:

• reference artifacts in this repository
• validation guidance
• unsafe ambiguities in the protocol
• examples that could encourage insecure implementations

Please do not open public issues for suspected security problems that could affect downstream adopters.

Instead, report them privately to the project maintainers. If a dedicated security contact is added later, this document should be updated to point to that channel.

Until then, use private maintainer contact through the repository hosting platform.

Please include:

• a clear description of the issue
• affected files or sections
• why the issue matters for implementers
• any suggested mitigation or clarification

The project aims to:

• acknowledge reports promptly
• assess whether the issue affects the protocol, examples, or documentation
• publish a fix or mitigation note when appropriate