Report vulnerabilities in @openpcb/* packages — especially parser exploits, .opclib signature bypass, or unsafe deserialization — to security@openpcb.app. Do not open a public GitHub issue.
You can also use GitHub Security Advisories for private disclosure.
Acknowledgement within 72 hours. Coordinated disclosure typically within 90 days.