Email security@trendvidia.com with a description, reproduction steps, and the affected version(s) or commit(s). PGP key on request.

Please do not file public GitHub issues for vulnerabilities, and do not post details in pull request comments.

You can expect:

• An acknowledgement within 3 business days.
• A triage decision (accepted / not-a-vulnerability / needs-more-info) within 10 business days.
• A coordinated fix on the timeline below.

This policy covers protowire-csharp — the C# port of the protowire stack. Cross-port issues are also accepted here and routed to the upstream project; you can equivalently file at trendvidia/protowire per its SECURITY.md.

In scope:

• Decoder crashes, hangs, infinite loops, unbounded memory, or OOMs triggered by adversarial PXF / PB / SBE / envelope input.
• Wire-format divergences from other ports for the same input that could be exploited (e.g. authorization bypass via parser disagreement).
• Schema-validation bypasses that let invalid messages reach application code.
• Any unsafe-block soundness issue in src/Protowire.Sbe/View.cs or similar zero-allocation paths.

Out of scope:

• Denial-of-service via legitimately large inputs that respect the limits in the upstream docs/HARDENING.md.
• Issues in Google.Protobuf itself — file those upstream at protocolbuffers/protobuf and CC us.

The decoder paths are exercised against the upstream adversarial corpus (testdata/adversarial/) on every PR via the cmd/Protowire.CheckDecode harness. A regression on the corpus blocks merge.

For vulnerabilities affecting more than one port, a 30-day embargo applies from the date we acknowledge your report (per the upstream project's policy), extendable by mutual agreement when a fix needs more time.

Single-port issues follow this port's own disclosure timeline, typically 7–14 days, but always at least long enough for a fix to be released.

Reporters who follow coordinated disclosure are credited in SECURITY-ADVISORY-*.md advisories on the upstream repo and (with permission) in the release notes. We do not currently run a paid bug-bounty program.