The Smooks team participates in responsible disclosure and welcomes collaboration with the wider community on security issues.
To report a security issue, please open a draft security advisory at https://github.com/smooks/[repository]/security/advisories/new where [repository] is substituted with this repository's name. Refrain from sharing the details in public (e.g., posting to the user or developer mailing list, creating a bug report, and so on). We might also contact you to request further details as needed.
The KEYS file is a plain-text file containing the public key signatures of the release managers (and optionally other committers) for the project. Smooks artifacts published to Maven Central Repository are signed. The KEYS file is available from here: https://github.com/smooks/.github/blob/master/KEYS.