Please report security vulnerabilities privately — do not open a public GitHub issue. Either:

• Email security@mloda.ai with a description, affected version, and reproduction steps; or
• Use GitHub's private vulnerability reporting: the repo Security tab → "Report a vulnerability".

We aim to acknowledge reports within a few business days and will keep you updated on remediation. Once a fix is released, we're happy to credit you.

open-kgo is pre-1.0; security fixes land on the latest release only.

This project ships connectors that run against in-memory libraries and local file fixtures (no Docker, no network by policy). Reports about dependency CVEs surfaced by the weekly pip-audit scan (.github/workflows/security-scan.yaml) are welcome but are report-only and not release-blocking.