Security governance and assessment status

This page summarizes where Weblate publishes security governance information and records the current formal assessment status. It is a factual documentation index and does not claim certification, audit completion, or regulatory compliance.

For product identity, contact, support, release, and SBOM identity, see Product and contact information.

Governance documentation

Weblate publishes security governance information in these documentation areas:

• Contribution rules, code review expectations, and project participation are documented in Contribuția la Weblate, Codul sursă Weblate, and Code of Conduct.

• Release lifecycle, security update coverage, and upgrade support are documented in Releases and supported versions.

• Vulnerability reporting, disclosure handling, and service incident reporting are documented in Vulnerability and incident handling.

• Dependency inventory, vulnerability triage, update automation, and container scanning are documented in Dependencies.

• Security assumptions and boundaries are documented in Weblate threat model.

• Release artifact inventory, SBOMs, signatures, attestations, and verification are documented in Release artifacts and verification.

Formal assessment status

This repository does not currently record a formal third-party security assessment, certification, audit report, penetration-test report, or formal self-assessment for Weblate.

Automated security checks and compliance tools such as CodeQL, GitHub dependency review, FOSSA, OpenSSF Scorecard, and container vulnerability scans are security evidence and automation signals. They are not formal assessments, certifications, or audit reports.

If Weblate publishes formal assessment evidence in the future, this page and the repository security metadata should be updated with the assessment reference and date.