If you discover a security vulnerability in Lattice, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please email: security@lattice-runtime.dev

Include:

• A description of the vulnerability.
• Steps to reproduce the issue.
• The potential impact.
• Any suggested fixes (optional).

• Acknowledgment: within 48 hours.
• Initial assessment: within 7 days.
• Fix and disclosure: coordinated with the reporter.

Security issues in the following areas are in scope:

• Credential injection and scope enforcement.
• Audit trail integrity.
• State isolation between concurrent executions.
• Input validation and sanitization.