Do not open a public issue.
Email: security@dapla.net
Subject: [SECURITY] mlisp — <brief description>
We acknowledge within 72 hours and aim to patch within 14 days for confirmed critical/high severity findings.
This repo ships SLSA Level 3 provenance attestations. Verify any release artifact with:
slsa-verifier verify-artifact <artifact> \
--provenance-path <artifact>.intoto.jsonl \
--source-uri github.com/denzuko/mlispEvery CI run scans the CycloneDX SBOM with osv-scanner.
Critical/High CVEs block merge.