This document defines how security vulnerability reporting is handled for this project. The approach aligns with the LF Decentralized Trust security policy. Please review that document to understand the basis of the security reporting for this project. Details specific to this repository are documented below.

The latest release version is supported with security updates. To address any security vulnerabilities found in previous releases, you should update to the latest release.

Suspected security vulnerabilities in this project can be reported using the repository's security advisories page. Guidance can be found in the GitHub documentation on privately reporting a security vulnerability. The maintainers will work with you to confirm the vulnerability, deliver a fix, and then release a security bulletin.

Dependencies are regularly scanned for published security vulnerabilities, and these are addressed as soon as practical. In general it should not be necessary to report vulnerabilities in project dependencies.