SP-DIFFER is a testing framework. It does not hold production keys and should not be used as a wallet.

If you discover a security issue in this repository:

• For the public repository, use GitHub Private Vulnerability Reporting or a private security advisory first.
• Use public issues only for non-sensitive follow-up or for issues that are already disclosed.
• This repository does not currently publish a separate security email alias. A dedicated alias such as security@<maintainer-domain> is the professional next step if you want an out-of-band reporting path for reporters who cannot use GitHub.

Maintainers should acknowledge private reports promptly, coordinate follow-up in the advisory thread, and only move discussion into public issues after disclosure is intentional.

Public releases should use annotated GPG-signed tags.

Published release-signing fingerprint for the current repo-local signing workflow:

• 3537 C4E8 59DD 41C1 824C 034C A604 C35A 9408 AAB0 (SP-DIFFER Release <spdiffe-release@noreply>)

Expected format:

• one maintainer fingerprint per bullet or line
• full 40-hex OpenPGP fingerprint, with or without spaces

Contributors should verify signed checksums and signed tags against the public key material in the repository root KEYS file and the instructions in SIGNING.md.