This repository contains a specification and reference tooling — not a running service. Security issues here relate to:

• Validator logic that incorrectly accepts or rejects files
• JSON Schema definitions that permit unsafe patterns
• Spec language that could mislead scanner authors into unsafe behavior (e.g., silently suppressing findings)

For issues that affect the correctness of the specification or could lead to scanners making wrong security decisions, please open a GitHub issue. This is an open specification — transparency in security issues is a feature.

If you believe the issue is sensitive (e.g., a flaw that could be exploited before a fix is available), email the maintainer directly. Contact information is in the repository's GitHub profile.

The spec's trust model is documented in §1.3 of the specification. The core principle: .security-context.yaml is a declaration of context, not a grant of authority. Scanners decide how much weight to give each field.