Report security issues — including malformed .opclib exploits, signature bypass, or supply-chain concerns in the import pipeline — to security@openpcb.app. Do not open a public GitHub issue.
You can also use GitHub Security Advisories for private disclosure.
Acknowledgement within 72 hours. Coordinated disclosure typically within 90 days.