DocTrust follows the current tagged release and the latest unreleased main branch.
For sensitive issues, use GitHub's private security advisory flow:
Please include:
- the affected component,
- a minimal reproduction,
- the expected security impact,
- whether the issue touches the spec, SDKs, demo code, or trust registry behavior.
Do not post secrets, private keys, full exploit details, or production payloads in public issues.
We will triage security reports as soon as practical and prefer coordinated disclosure for anything that could impact real users.