If you believe you have identified a security issue related to the sev-certify project, please report it by creating a draft security advisory in GitHub. Refer to the guidelines for creating a repository security advisory here, and please DO NOT report the issue publicly via the GitHub issue tracker, mailing list, or IRC, and DO NOT create a public issue.
Note: For any AMD SEV security bug unrelated to the sev-certify project, please report it directly to AMD by following the guidelines in the How to Submit a Vulnerability Report section of the AMD product security resources.
Each bug report related to the sev-certify project is acknowledged and analyzed by the core maintainers within five working days. Any vulnerability information shared with the core maintainers remains confidential within the sev-certify project. As the security issue progresses from triage to an identified fix and release planning, the core maintainers will keep the reporter updated.