The 3DCF team maintains one supported branch and handles vulnerability reports privately to keep downstream users safe.

• Email yevhenii@3dcf.dev with a short description, affected commit/release, and proof-of-concept or reproduction notes.
• If you prefer, request our PGP fingerprint in the same message and resend an encrypted copy.
• We acknowledge reports within 7 business days and send a mitigation or fix plan within 21 business days whenever possible.
• After a fix is released we will coordinate public disclosure and, if desired, credit the reporter.

Please avoid filing public issues or sharing exploit details until we confirm a fix is available and both parties agree on a disclosure date.

SafePilot is an open source project under the Apache-2.0 license. There is no bug bounty program and no budget for paid reports.

Security documentation index: docs/security/README.md.