This document outlines the process for handling security concerns in OpenZipkin projects.

Any vulnerability or misconfiguration detected in our security workflow should be addressed as a normal pull request.

OpenZipkin is a volunteer community and does not have a dedicated security team. There may be periods where no volunteer is able to address a security concern. There is no SLA or warranty offered by volunteers. If you are a security researcher, please consider this before escalating.

For security concerns that are sensitive or otherwise outside the scope of public issues, please contact zipkin-admin@googlegroups.com.