Thank you for taking the time to help keep this project secure. This document explains how to report security vulnerabilities and the project's policy for handling them.
If you've discovered a security issue in this repository, please report it privately to the maintainers so we can address it before public disclosure.
Preferred contact method:
- Email: [email protected]
If email is not possible, open a private issue or a direct message to the repository owner/maintainer on the platform where the project is hosted.
When reporting, please include:
- A short summary of the vulnerability
- Step-by-step reproduction (ideally with a minimal test case or PoC)
- Affected versions/commit hash
- Impact assessment (possible impact if exploited)
- Your contact information (optional)
Do not post vulnerabilities to public issue trackers or other public channels until we have remedied the issue or agreed on a coordinated disclosure timeline.
We aim to respond to all vulnerability reports within 72 hours. Typical flow:
- Acknowledge receipt within 72 hours.
- Triage and confirm the issue.
- Propose a mitigation or patch and provide an estimated timeline.
- Coordinate disclosure once a fix is merged or a mitigant is in place.
If we cannot contact you directly, we will follow a 90-day disclosure timeline from the time the issue is confirmed.
If you follow the reporting guidance above and act in good faith, we will not initiate legal action against you for your security research related to this repository.
You may encrypt sensitive reports using the project's PGP key if available. If no key is present, send the report to the email above.
We follow coordinated disclosure: we will publicly disclose the vulnerability after the issue has been fixed or after a reasonable disclosure window (normally 90 days) if there is no patch.
If you are a maintainer and want to change this policy, update this file and ensure a public contact or process is available for external researchers.