Your assistance in identifying vulnerabilities in our project is greatly appreciated. We take all disclosures seriously.
If you discover a vulnerability, please do the following:
- DO NOT open an issue. We prefer to keep vulnerability reports private.
- Email us directly at [email protected] with as many details as possible about the vulnerability.
Your report should include:
- A description of the vulnerability
- Steps to reproduce the issue, if possible
- Potential impact of the vulnerability
- Any potential solutions or mitigations you can think of
We'll acknowledge your email within 48 hours, and will send a more detailed response within 48 hours indicating the next steps in handling your report.
After the initial reply to your report, we'll endeavor to keep you informed about our progress towards closing the issue and may ask for additional information or guidance.
Once we have a fix, we will publish a security advisory in the GitHub repository that details the issue and the steps users should take to mitigate it. Public disclosure will only occur after the fix has been implemented and tested.
This will generally be within 14 days, but the exact timeline will depend on the severity and complexity of the issue. You will be kept informed of all dates and details.
If you have suggestions on how this process could be improved, please submit a pull request.