diff --git a/.github/test.bat b/.github/test.bat
new file mode 100644
index 0000000..7569537
--- /dev/null
+++ b/.github/test.bat
@@ -0,0 +1,3 @@
+eactest.com
+cvc-create.com --help
+cvc-print.com --help
diff --git a/.github/test.sh b/.github/test.sh
new file mode 100755
index 0000000..ee866e8
--- /dev/null
+++ b/.github/test.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# CI script to test on unix like systems
+
+set -ex -o xtrace
+
+chmod a+x *.com
+./eactest.com
+openssl ecparam -out ZZATCVCA00001.pem -name prime192v1 -genkey -param_enc explicit
+openssl pkcs8 -topk8 -nocrypt -in ZZATCVCA00001.pem -outform DER -out ZZATCVCA00001.pkcs8
+./cvc-create.com --role=cvca --type=at --chr=ZZATCVCA00001 --expires=991231 --sign-with=ZZATCVCA00001.pkcs8 --scheme=ECDSA_SHA_256 --rid
+./cvc-print.com --cvc=ZZATCVCA00001.cvcert --disable-cvc-verification
diff --git a/.github/workflows/ape.yml b/.github/workflows/ape.yml
new file mode 100644
index 0000000..ff058d9
--- /dev/null
+++ b/.github/workflows/ape.yml
@@ -0,0 +1,58 @@
+name: Actually Portable Executable
+
+on:
+  pull_request:
+    paths:
+      - '**.c'
+      - '**.h'
+      - '**.i'
+      - '**.in'
+      - '**.sh'
+      - '**.py'
+      - '**.go'
+      - '**.java'
+      - '**.rb'
+      - .github/workflows/ape.yml
+  push:
+
+
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v4
+    - run: .github/build.sh ape
+    - uses: actions/upload-artifact@v4
+      with:
+        name: openpace-${{ github.ref_name }}-bin
+        path:
+          openpace-bin
+
+  test-unix:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-24.04, ubuntu-24.04-arm, macos-15, macos-15-intel, macos-26, macos-26-intel]
+    name: test-${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    needs: build
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v5
+      - run: .github/test.sh
+
+  test-windows:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [windows-2022, windows-2025, windows-11-arm]
+    name: test-${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    needs: build
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v5
+      - run: .github/test.bat
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 892d3c2..4f3c9fa 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -1,4 +1,4 @@
-name: Coverity CI
+name: Coverity Scan
 
 # We only want to test master or explicitly via coverity branch
 on:
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index 600ef17..6a2cfba 100644
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -1,4 +1,4 @@
-name: macOS CI
+name: macOS
 
 on:
   pull_request:
@@ -25,8 +25,3 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - run: .github/build.sh macos
-    - uses: actions/upload-artifact@v4
-      with:
-        name: openpace-dmg
-        path:
-          openpace*.dmg
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
deleted file mode 100644
index 2e627c4..0000000
--- a/.github/workflows/scorecard.yml
+++ /dev/null
@@ -1,73 +0,0 @@
-# This workflow uses actions that are not certified by GitHub. They are provided
-# by a third-party and are governed by separate terms of service, privacy
-# policy, and support documentation.
-
-name: Scorecard supply-chain security
-on:
-  # For Branch-Protection check. Only the default branch is supported. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-  branch_protection_rule:
-  # To guarantee Maintained check is occasionally updated. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
-  schedule:
-    - cron: '43 9 * * 4'
-  push:
-    branches: [ "master" ]
-
-# Declare default permissions as read only.
-permissions: read-all
-
-jobs:
-  analysis:
-    name: Scorecard analysis
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
-      id-token: write
-      # Uncomment the permissions below if installing in a private repository.
-      # contents: read
-      # actions: read
-
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          persist-credentials: false
-
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # - you are installing Scorecard on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
-
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
-          publish_results: true
-
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-
-      # Upload the results to GitHub's code scanning dashboard (optional).
-      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
-        with:
-          sarif_file: results.sarif
diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
index de00043..640a9e3 100644
--- a/.github/workflows/ubuntu.yml
+++ b/.github/workflows/ubuntu.yml
@@ -1,4 +1,4 @@
-name: Ubuntu CI
+name: Ubuntu
 
 on:
   pull_request:
@@ -27,17 +27,6 @@ jobs:
     - run: .github/build.sh ubuntu
     - uses: actions/upload-artifact@v4
       with:
-        name: openpace
+        name: openpace-${{ github.ref_name }}-src
         path:
           openpace*.tar.gz
-
-  build-ape:
-    runs-on: ubuntu-24.04
-    steps:
-    - uses: actions/checkout@v4
-    - run: .github/build.sh ape
-    - uses: actions/upload-artifact@v4
-      with:
-        name: openpace-bin
-        path:
-          openpace-bin
diff --git a/Makefile.am b/Makefile.am
index 5204656..f477e88 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,7 @@
 ACLOCAL_AMFLAGS = -I m4
 SUBDIRS = src bindings
 
-EXTRA_DIST = libeac.pc.in bootstrap generate-eac-pki.sh docs appveyor.yml NEWS.md
+EXTRA_DIST = libeac.pc.in bootstrap generate-eac-pki.sh docs appveyor.yml
 DISTCHECK_CONFIGURE_FLAGS = --enable-java --enable-python --disable-openssl-install
 
 if WIN32
diff --git a/NEWS.md b/NEWS.md
deleted file mode 100644
index 96462c2..0000000
--- a/NEWS.md
+++ /dev/null
@@ -1,9 +0,0 @@
-# OpenPACE X.X.X
-
-## Enhancements
-
-* Improved documentation to match OpenSSF best practices
-
-## Bug fixes
-
-* Added handling of memory errors in language bindings (`get_buf()`)
diff --git a/SECURITY.md b/SECURITY.md
index c775c09..265a066 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -5,8 +5,8 @@
 | Version                                                    | Supported          |
 | ---------------------------------------------------------- | ------------------ |
 | https://github.com/frankmorgner/openpace/releases/latest   | :white_check_mark: |
-| < latest release version                                   | :x:                |
+| all previous versions                                      | :x:                |
 
 ## Reporting a Vulnerability
 
-Please report vulnerabilities to frankmorgner@gmail.com; you can expect a response within one week.
+Please report vulnerabilities at the project's [security page](https://github.com/frankmorgner/openpace/security/advisories/new); you can expect a response within one week.
diff --git a/configure.ac b/configure.ac
index 5a6a090..c0cbedf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.67])
-AC_INIT([OpenPACE], [1.1.3], [https://github.com/frankmorgner/openpace/issues], [openpace], [http://frankmorgner.github.io/openpace/])
+AC_INIT([OpenPACE], [1.1.4], [https://github.com/frankmorgner/openpace/issues], [openpace], [http://frankmorgner.github.io/openpace/])
 AC_CONFIG_SRCDIR([src/eactest.c])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])