If you discover a security vulnerability in UPI, please report it privately by opening a security advisory on GitHub.

Please do not report security vulnerabilities through public GitHub issues.

Dependencies are audited regularly via cargo audit in CI. The dependency tree is checked for known CVEs on every change to Cargo.lock and on a daily schedule.