Please do not file a public issue. Use GitHub's private "Report a vulnerability" feature in the Security tab of the repository.

Alternatively, email the maintainers (see GOVERNANCE.md for contacts). Include the affected version, reproduction steps, and impact.

• Initial acknowledgement: within 7 days of report
• Triage and assessment: within 14 days
• Coordinated disclosure window: 90 days from acknowledgement
• Public advisory + patched release at the end of the window

In scope:

• Verification logic for signed bot requests (RFC 9421 module)
• Signature registry parsing and update mechanism
• Middleware code paths in any supported language

Out of scope:

• Bot operators choosing not to sign their requests (a known reality, not a bug — see docs/rfc9421.md for the honest framing)
• Issues in the upstream signatures list at ai.robots.txt (report there)
• Issues in third-party RFC 9421 libraries (report to those projects)

Researchers who responsibly disclose verified findings will be acknowledged in the CHANGELOG and in a dedicated section of docs/SECURITY_ACKNOWLEDGEMENTS.md, with their preferred handle and optional contact link.