apache/unomi follows the Apache Software Foundation security process. Please report suspected vulnerabilities privately to security@apache.org (the ASF security team routes Unomi reports to the project's private list, private@unomi.apache.org); do not open public GitHub issues or pull requests for security reports.

What the project treats as in scope and out of scope, the security properties it provides and disclaims, the adversary model, and how findings are triaged are documented in THREAT_MODEL.md.