The Forensics Tracing Toolkit includes a Gradle plugin, Java source scanning code, Byteman rule generation, and runtime tracing helpers. Security reports may involve generated tracing rules, runtime helper behavior, build integration, dependency handling, or disclosure risks in trace output.

Please do not open a public issue or pull request for a suspected vulnerability before it has been assessed privately. Public disclosure can make it easier for others to exploit the issue before a fix is available.

Use GitHub private vulnerability reporting for this repository when it is available. If that option is not available, contact the repository maintainers privately through the contact channels published on the repository owner profile or project page.

When reporting a vulnerability, include:

• A clear description of the issue and affected component.
• Steps to reproduce the issue with the smallest practical example.
• The affected version, commit, or Gradle plugin configuration.
• Any generated Byteman rules, trace snippets, or logs needed to understand the problem.
• Whether the issue exposes sensitive data, changes application behavior, weakens build isolation, or creates unsafe generated output.

Do not include secrets, credentials, private customer data, or full production traces unless the maintainers explicitly request a sanitized sample.

Reports are most useful when they target the current repository state or the latest published plugin/runtime version. Older versions may be assessed case by case, depending on severity and available maintenance capacity.

Please give the maintainers a reasonable opportunity to investigate and prepare a fix before public disclosure. Coordinated disclosure helps users update safely and keeps the public record accurate.