The Palimpsest‑MPL License repository is maintained by the Palimpsest Stewardship Council.
This document describes how to report vulnerabilities and how security issues are handled.
This repository is under active development.
Security updates apply to:
- the
mainbranch - all tagged releases (
v*.*.*)
Older tags remain available for historical reference but may not receive fixes.
If you believe you have found a security issue involving:
- the Palimpsest‑MPL license text
- provenance tooling (
pmpl-sign,pmpl-verify,pmpl-audit) - GitHub Actions workflows
- SCM manifests
- documentation that may cause unsafe use
- or any other part of this repository
please do not open a public issue.
Instead:
- Contact the Palimpsest Stewardship Council privately via the channels listed in the repository README.
- Include as much detail as possible (steps to reproduce, impact, affected components).
- The Council will acknowledge receipt and begin evaluation.
The Council will:
- review the report
- assess severity
- coordinate a fix or clarification
- publish advisories when appropriate
- credit reporters unless anonymity is requested
This repository follows:
- least‑privilege GitHub Actions permissions
- pinned dependencies in workflows
- regular CodeQL and Scorecard scans
- dependency review on pull requests
- provenance‑aware development practices
- SPDX‑based license identification
For more detailed information, see the documentation under docs/ and legal/.