Do not report security vulnerabilities through public GitHub issues.
For now, report security concerns to the project leader:
- Mert Satilmaz: mert.satilmaz@owasp.org
If the issue involves OWASP infrastructure or project governance, follow the relevant OWASP reporting process.
Examples include:
- A vulnerability in the harness implementation
- Unsafe behavior in demo environments
- Accidental exposure of secrets in test fixtures
- Unsafe default configuration
- Supply chain risks in project dependencies
- A scenario that encourages harmful real-world execution instead of controlled testing
The following should usually be reported as normal GitHub issues:
- Documentation bugs
- Missing scenario categories
- CLI usability problems
- False positives or false negatives in assertions
- Feature requests