Lernza's SECURITY.md Lacks Critical Contact, Blocking Private Vulnerability Reports

A critical oversight in Lernza's official security documentation is blocking private vulnerability reporting. The project's SECURITY.md file instructs researchers to "email the maintainers directly" but fails to provide any contact email address. This creates a direct path to public exposure of security flaws, as external researchers have no private channel to alert the team when GitHub's own Security Advisories feature is unavailable or unsuitable.

The missing contact information is a fundamental breakdown in the responsible disclosure process. Without a dedicated [email protected] address or a listed maintainer email, any discovered vulnerability faces a dead end. Researchers are left with a binary choice: attempt to report through public, non-confidential channels like standard GitHub issues, or forgo reporting entirely, which increases the risk of flaws being exploited or disclosed publicly without warning.

This gap signals a significant operational security risk for Lernza and its users. It places pressure on the project maintainers to formalize their security response protocol immediately. The absence of a private reporting mechanism not only discourages ethical security research but could also damage the project's credibility and user trust if a serious vulnerability is later found to have been unreportable. The suggested fix—establishing a dedicated security contact—is a basic but urgent step to close this exposure.