Email support@ontologylabs.ai with the details and, if possible, a proof of concept. We aim to acknowledge within 3 business days. Please do not open a public issue for security reports.

Our recipe repositories (e.g. mendix-runtime-crates) ship recipes only — Dockerfiles, shell scripts, and YAML. They contain no Mendix binaries: the Mendix runtime is downloaded from the Mendix CDN at build time, on your machine, and a CI guard rejects any committed binary. The relevant surface for these repos is therefore the shell/Docker scaffolding (start.sh, Dockerfile) and supply-chain concerns — those reports are very welcome.