Email security@trendvidia.com with a description, reproduction steps, and the affected version(s) or commit(s). PGP key on request.

Please do not file public GitHub issues for vulnerabilities, and do not post details in pull request comments.

You can expect:

• An acknowledgement within 3 business days.
• A triage decision (accepted / not-a-vulnerability / needs-more-info) within 10 business days.
• A coordinated fix on the timeline below.

This policy covers protowire-java — the Java port of the protowire stack. Cross-port issues (the same input affecting multiple language ports) are also accepted here and routed to the upstream project; you can equivalently file at trendvidia/protowire per its SECURITY.md.

In scope:

• Decoder crashes, hangs, infinite loops, unbounded memory, or OOMs triggered by adversarial PXF / PB / SBE / envelope input.
• Wire-format divergences from other ports for the same input that could be exploited (e.g. authorization bypass via parser disagreement).
• Schema-validation bypasses that let invalid messages reach application code.
• Reflection-driven gadgets through protobuf-java's DynamicMessage surface — please report even if they require a malicious schema.

Out of scope:

• Denial-of-service via legitimately large inputs that respect the limits in the upstream docs/HARDENING.md.
• Issues in protobuf-java itself — file those upstream at protocolbuffers/protobuf and CC us.

For vulnerabilities affecting more than one port, a 30-day embargo applies from the date we acknowledge your report (per the upstream project's policy), extendable by mutual agreement when a fix needs more time. During the embargo we coordinate fixes across all affected ports so they ship simultaneously.

Single-port issues follow this port's own disclosure timeline, typically 7–14 days, but always at least long enough for a fix to be released to Maven Central under org.protowire:protowire-pxf (and sibling artifacts).

Reporters who follow coordinated disclosure are credited in SECURITY-ADVISORY-*.md advisories on the upstream repo and (with permission) in the release notes. We do not currently run a paid bug-bounty program.