Do not open a public GitHub issue for security vulnerabilities.

Preferred: Use the "Report a vulnerability" button on the Security tab.

Alternative: Email bugs@gnu.foo. Reports are acknowledged within 72 hours; fixes within 30 days depending on severity.

In scope:

• Permission check logic that produces incorrect results (false-safe or false-deny) for a real filesystem state
• Capability read or installation bugs that could misrepresent or incorrectly grant/drop file capabilities
• Input validation bypasses in subject or path parsing
• LSM (SELinux/AppArmor) query logic that returns incorrect enforcement state
• Dependency vulnerabilities with a realistic attack path

Out of scope: issues with no security impact, theoretical bugs without a proof of concept, privilege requirements that are documented and intentional (e.g. sudo needed for full gather).

EA92 184C E5A3 4B0B C9EE 3A91 8E28 40A2 97D4 7681

Fetch from keys.openpgp.org · keys/EA92184CE5A34B0BC9EE3A918E2840A297D47681.asc