The slsa-verifier community is committed to maintaining a secure-by-default verifier for SLSA. If you believe you have identified a security issue in this project, please follow these guidelines for responsible disclosure.

You may report issues for the most recent version of slsa-verifier. We may, at our discretion, retroactively make changes to older, particularly unsupported versions.

If you discover a potential security issue in this project, we kindly ask that you privately report it. At the minimum, the report must contain the following:

• A description of the issue.
• A specific version or commit SHA of slsa-verifier where the issue reproduces.
• Instructions to reproduce the issue.

Please do not create a public GitHub issue or pull request to submit vulnerability reports. These public trackers are intended for non-time-sensitive and non-security-related bug reports and feature requests. Major feature requests, such as design changes to the specification, should be proposed to the community.

This project follows a 90 day disclosure timeline.