If you’ve found a security vulnerability or you suspect you did, first of all thank you for caring about our ecosystem! We rely on the community’s participation to keep us all as safe and secure as possible, at least when it comes to software.

The SSWG takes only a secondary role in the security process. We make sure that incubated projects have a security process, and that they follow their processes, but the SSWG is typically not the first point of contact. Please don’t read this as sending you away, though; if at any point in the process you feel like you don’t know where to report, you don’t get a response, or have any other issues, please do contact the SSWG at sswg-security-reports@forums.swift.org. Emails sent to this address are never public; only SSWG members and the Swift core team can see them.

Packages incubated by the SSWG are required to list a clear point of contact on the project’s main information page. Most often, this will be the README.md or SECURITY.md files at the root of the project’s GitHub/GitLab/etc. repository. Projects are also required to list exact steps for reporting a (suspected) vulnerability. Please follow these steps; the SSWG will be notified by the project directly. If you can’t find any required information, you don’t get a response from the project’s maintainers, or you feel that the (suspected) vulnerability is not being treated with the appropriate care and urgency, please reach out to the SSWG at sswg-security-reports@forums.swift.org.