Do not open a public GitHub issue for security vulnerabilities.

Preferred: Use the "Report a vulnerability" button on the Security tab.

Alternative: Email bugs@gnu.foo. Reports are acknowledged within 72 hours; fixes within 30 days depending on severity.

In scope:

• Memory-safety bugs, panics, or crashes triggered by attacker-controlled input (malformed target responses, crafted CLI input)
• Secret-leaking in --verbose or --repro output beyond documented behavior
• Supply-chain compromise of crate dependencies
• Denial-of-service via crafted target responses

Out of scope:

• Use of parlov against systems without authorization. You are responsible for ensuring permission to test (CFAA, CMA, etc.).
• Issues with no security impact or theoretical bugs without a proof of concept.

EA92 184C E5A3 4B0B C9EE 3A91 8E28 40A2 97D4 7681

Fetch from keys.openpgp.org · keys/EA92184CE5A34B0BC9EE3A918E2840A297D47681.asc