Voss is local-first developer tooling, so security reports should protect repos, credentials, and exploit details. Do not paste secrets, token values, or working exploit steps into a public issue.
Open a minimal GitHub issue that says you have a security report and need a private channel. Include the affected package or surface, impact summary, and safe contact path. Leave exploit details, private repo names, and credentials out of the issue.
Voss does not currently publish a bug bounty program. Reports are handled as coordinated disclosure: confirm receipt, reproduce impact, ship a fix, and credit the reporter when they want attribution.
