# Security and Vulnerability Reporting

Sensitive security-related questions, comments, and reports should be sent to
the [gvisor-security mailing list][gvisor-security-list]. You should receive a
prompt response, typically within 48 hours.

Policies for security list access, vulnerability embargo, and vulnerability
disclosure are outlined in the [governance policy](GOVERNANCE.md).

[gvisor-security-list]: https://groups.google.com/forum/#!forum/gvisor-security