Only the latest release of trident receives security updates. If you are running an older version, please upgrade before reporting.

To report a security vulnerability, use GitHub's private vulnerability reporting. This keeps your report confidential until a fix is available.

Please include:

• A description of the vulnerability
• Steps to reproduce
• The version of trident you are using
• Your OS and architecture
• Any relevant logs or output (with sensitive data redacted)

• Acknowledgement: within 7 days of your report
• Fix target: within 30 days for confirmed vulnerabilities

Timelines may vary depending on severity and complexity.

This policy covers the trident CLI tool itself. It does not cover the third-party APIs and services that trident queries (e.g. crt.sh, ThreatMiner, Quad9). Issues with those services should be reported to their respective maintainers.

Please do not publicly disclose a vulnerability until a fix has been released. We will coordinate with you on disclosure timing and credit you in the release notes unless you prefer to remain anonymous.