Cleave is in very early design with no shipped code yet. There is no attack surface to disclose against today.

Once a compiler exists and is being used, this page will be updated with disclosure instructions and a contact address.

If you've found a design-level concern in the meantime (a primitive that's unsound, a protocol shape that allows unexpected behavior, a worked example that misleads), open a GitHub Discussion or email security@cleavelang.org.