This is an open source project that is provided as-is without warranty or liability. As such, there is no supportability commitment. The maintainers will do the best they can to address any report promptly and responsibly.
Please use the "Private vulnerability reporting" feature in the GitHub repository (under the "Security" tab).
This policy is intended for vulnerabilities in Trivy itself (e.g., core functionality, scanning logic, or security features).
If you discover a vulnerability in a dependency module (e.g., a third-party library used by Trivy), please do not report it here.
Instead, open a ticket in GitHub Discussions so that the maintainers and community can evaluate and address it appropriately.