Please do not report security issues via public GitHub issues or discussions. Instead, use GitHub's private vulnerability reporting on this repository:

Repository → Security tab → Report a vulnerability

This routes the report to the maintainers privately. We aim to acknowledge new reports within 7 business days.

If GitHub's private reporting is not available to you, open a regular GitHub issue titled "security contact request" with no further detail and a maintainer will reach out for a private channel.

The following are in scope:

• Memory-safety, concurrency, or input-validation bugs in any package under ncode/, pattern/, pattern/kernels/, pattern/neolab/, pattern/stub/, or pdf/.
• Injection / argument-handling bugs in the C# wrapper at tools/ncode-cli/.
• Documentation issues that could mislead a user into shipping insecure or non-compliant binaries (notably around the AGPL-3.0 transitive licence of go-fitz / MuPDF).

Out of scope:

• Vulnerabilities in upstream NeoLAB binaries (NeoLABNcodeSDK.dll and friends). Those are NeoLAB's responsibility — please report to NeoLAB Convergence directly.
• Vulnerabilities in third-party Go modules (pdfcpu, go-fitz, hhrutter/tiff, etc.). Please report those to their respective upstreams and we will pick up the version bump.
• Pen-recognition or print-quality issues — those are bug reports, not security issues, and belong on the public tracker.

We will coordinate disclosure with the reporter. Default timeline:

• T+0: private report received, acknowledged within 7 days.
• T+7..30: triage, root-cause, fix on a private branch.
• T+30..90: release the fix and a public advisory.

If a vulnerability is being actively exploited or has already been publicly disclosed elsewhere, the timeline shortens; we will say so in the response.

There is no bug bounty for this repository. We will credit reporters in advisory text unless asked otherwise.