This repository publishes security guidance that readers integrate into build pipelines, CI/CD configurations, and developer tooling. A malicious or subtly incorrect change to any command, URL, or configuration example could compromise downstream environments.

If you believe a commit, pull request, or published recommendation contains a malicious or dangerously incorrect change, report it privately using GitHub's private vulnerability reporting feature:

https://github.com/bugscale/software-supply-chain-security-guide/security/advisories/new

Alternatively, email security@bugscale.ch with:

• The affected file and line(s)
• What the current content does versus what it should do
• Any evidence of malicious intent or downstream impact

We will acknowledge reports within 48 hours and aim to remediate confirmed issues within 72 hours.

The following measures protect the integrity of published guidance:

• All commits to the main branch require a pull request with at least one maintainer approval
• Commit signing is required for all contributors
• Force pushes to main are disabled
• All pull requests require evidence for technical changes (see CONTRIBUTING.md)

When reviewing pull requests, pay particular attention to:

• Changes to registry URLs or download endpoints
• Changes to cryptographic verification commands or hashes
• Addition or modification of install-time scripts
• Subtle flag changes (e.g., removing --ignore-scripts, weakening a verification step)
• New external links, especially to executable content

If you discover a vulnerability in a package manager, registry, or tool referenced by this guide, report it to the affected vendor first. Once the vendor has published a fix or advisory, open an issue here so we can update the relevant guidance.