Supported Versions

This is an open-source project provided as is without warranty or liability. Therefore, there are no commitments regarding support availability. The project maintainers will do their best to address any reports promptly and responsibly. We strive to maintain security for the latest version.

Vulnerability Reporting

Please use the "Report a Vulnerability Private" feature in the GitHub repository (in the "Security" tab).

⚠️ Important: This policy is for vulnerabilities within Trivy itself (e.g., core functionality, scan logic, or security features).

If you discover a vulnerability in a dependent module (e.g., a third-party library used by Trivy), please do not report it here.

Instead, open a request form in GitHub Talk so that maintainers and the community can assess and address the issue appropriately.