It's important to us that the Carbon Language provides a secure implementation. Thank you for taking the time to report vulnerabilities.

The Carbon Language is still an experimental project, so please be careful if using it in security-sensitive environments.

Please use https://github.com/carbon-language/carbon-lang/security/advisories/new to report security vulnerabilities.

We use GitHub's vulnerability reporting for intake. We will respond to reports within two weeks. For valid issues we will coordinate and disclose on GitHub.

If you haven't received a response, a couple steps to take are (in order):

1. Contact individuals directly:
   • Chandler Carruth
   • Richard Smith
   • Jon Ross-Perkins
2. Reach out on #infra on Discord (invite)
   • This is a public forum, so say you're asking for a security contact rather than talking about the security issue directly.