If you discover a security vulnerability in the Rill ecosystem, please report it via a GitHub Issue with the label security. You may also reach out directly to the maintainers at the project's GitHub repository.

We will acknowledge receipt within 48 hours and provide an estimated timeline for a fix.

The following are considered in scope:

• The rill-* crates published on crates.io
• The drift reference application
• Build and CI infrastructure

• Dependencies (report to the respective project)
• Hypothetical attacks requiring physical access
• Theoretical attacks without a practical proof of concept