Security policy

It’s important to us that the Carbon Language provides a secure implementation. Thank you for taking the time to report vulnerabilities.

The Carbon Language is still an experimental project, so please be careful if using it in security-sensitive environments.

Reporting a vulnerability

Please use https://github.com/carbon-language/carbon-lang/security/advisories/new to report security vulnerabilities.

We use GitHub’s vulnerability reporting for intake. We will respond to reports within two weeks. For valid issues we will coordinate and disclose on GitHub.

If you haven’t received a response, a couple steps to take are (in order):

  1. Contact individuals directly:
  2. Reach out on #infra on Discord (invite)
    • This is a public forum, so say you’re asking for a security contact rather than talking about the security issue directly.