Security governance and assessment status

This page summarizes where Weblate publishes security governance information and records the current formal assessment status. It is a factual documentation index and does not claim certification, audit completion, or regulatory compliance.

For product identity, contact, support, release, and SBOM identity, see Product and contact information.

Governance documentation

Weblate publishes security governance information in these documentation areas:

• Contribution rules, code review expectations, and project participation are documented in Contribuir con Weblate, Código fuente de Weblate, and Código de Conducta.

• Release lifecycle, security update coverage, and upgrade support are documented in Releases and supported versions.

• Vulnerability reporting, disclosure handling, and service incident reporting are documented in Vulnerabilidad y tratamiento de incidente.

• Dependency inventory, vulnerability triage, update automation, and container scanning are documented in Dependencias.

• Security assumptions and boundaries are documented in Modelo de amenazas de Weblate.

• Release artifact inventory, SBOMs, signatures, attestations, and verification are documented in Release artifacts and verification.

Formal assessment status

This repository does not currently record a formal third-party security assessment, certification, audit report, penetration-test report, or formal self-assessment for Weblate.

Automated security checks and compliance tools such as CodeQL, GitHub dependency review, FOSSA, OpenSSF Scorecard, and container vulnerability scans are security evidence and automation signals. They are not formal assessments, certifications, or audit reports.

If Weblate publishes formal assessment evidence in the future, this page and the repository security metadata should be updated with the assessment reference and date.