We’re extremely grateful for responsible security researchers that report vulnerabilities to us. All reports are thoroughly investigated by OCI maintainers. If you are reporting a security issue, do not create an issue or file a pull request on GitHub. Instead, disclose the issue responsibly by sending an email to security@opencontainers.org (which is inhabited only by the maintainers of the various OCI projects).