Skip to content

Security: denzuko/mlisp

Security

SECURITY.md

Security Policy — mlisp

Reporting a vulnerability

Do not open a public issue.

Email: security@dapla.net Subject: [SECURITY] mlisp — <brief description>

We acknowledge within 72 hours and aim to patch within 14 days for confirmed critical/high severity findings.

Supply chain

This repo ships SLSA Level 3 provenance attestations. Verify any release artifact with:

slsa-verifier verify-artifact <artifact> \
--provenance-path <artifact>.intoto.jsonl \
--source-uri github.com/denzuko/mlisp

CVE scanning

Every CI run scans the CycloneDX SBOM with osv-scanner. Critical/High CVEs block merge.

There aren't any published security advisories