Report security issues privately through GitHub's private vulnerability reporting, not a public issue. We aim to acknowledge within 3 business days.
Where possible, include the affected package and version, a description, reproduction steps or a proof of concept, and the impact.
Fixes ship against the latest version published to NuGet. Older major versions are not backported.
Trax builds and publishes through a defense-in-depth pipeline: SHA-pinned actions, isolated release credentials, OIDC trusted publishing with SLSA provenance, and locked + audited dependencies (a known-vulnerability advisory fails the build). See the Supply Chain Security guide.