# Security Policy

## Supported Versions

This is an open source project that is provided as-is without warranty or liability.
As such, there is no supportability commitment. The maintainers will do the best they can to address any report promptly and responsibly.

## Reporting a Vulnerability

Please use the "Private vulnerability reporting" feature in the GitHub repository (under the "Security" tab).  

⚠️ **Important:**  
This policy is intended for vulnerabilities in **Trivy itself** (e.g., core functionality, scanning logic, or security features).  

If you discover a vulnerability in a **dependency module** (e.g., a third-party library used by Trivy), please **do not report it here**.  
Instead, open a ticket in [GitHub Discussions](https://github.com/aquasecurity/trivy/discussions) so that the maintainers and community can evaluate and address it appropriately.