Security fixes are applied to the default branch and included in subsequent releases.
Please do not open a public issue for undisclosed vulnerabilities.
Instead, report privately through the security contact path in SUPPORT.md and include:
- affected files/modules
- impact summary
- proof of concept or reproduction steps
- suggested mitigation (if available)
Maintainers will acknowledge receipt and triage as quickly as possible, then coordinate remediation and disclosure timing.
This policy covers ontology artifacts, validation/build scripts, and release/supply-chain outputs in this repository.