Security governance and assessment status

This page summarizes where Weblate publishes security governance information and records the current formal assessment status. It is a factual documentation index and does not claim certification, audit completion, or regulatory compliance.

For product identity, contact, support, release, and SBOM identity, see Product and contact information.

Governance documentation

Weblate publishes security governance information in these documentation areas:

• Contribution rules, code review expectations, and project participation are documented in Zu Weblate beitragen, Weblate-Quellcode, and Verhaltenskodex.

• Release lifecycle, security update coverage, and upgrade support are documented in Releases and supported versions.

• Vulnerability reporting, disclosure handling, and service incident reporting are documented in Schwachstellen und Umgang mit Vorfällen.

• Dependency inventory, vulnerability triage, update automation, and container scanning are documented in Abhängigkeiten.

• Security assumptions and boundaries are documented in Weblate-Bedrohungsmodell.

• Release artifact inventory, SBOMs, signatures, attestations, and verification are documented in Release artifacts and verification.

Formal assessment status

This repository does not currently record a formal third-party security assessment, certification, audit report, penetration-test report, or formal self-assessment for Weblate.

Automated security checks and compliance tools such as CodeQL, GitHub dependency review, FOSSA, OpenSSF Scorecard, and container vulnerability scans are security evidence and automation signals. They are not formal assessments, certifications, or audit reports.

If Weblate publishes formal assessment evidence in the future, this page and the repository security metadata should be updated with the assessment reference and date.