This project and its community take security bugs seriously. We appreciate efforts to improve the security of this software and follow the GitHub coordinated disclosure of security vulnerabilities for responsible disclosure and prompt mitigation. We are committed to working with security researchers to resolve the vulnerabilities they discover.
The latest version of this project has continued support. If a critical vulnerability is found in the current version, we may opt to backport patches to previous versions.
When you find a security vulnerability in this project, please perform the following actions:
- Open an issue on the repository. Ensure that you use
[BUG] Security Vulnerabilityas the title and do not mention any vulnerability details in the issue post. - Send a notification email to
[email protected]that contains, at a minimum:- The link to the filed issue stub
- Your GitHub handle
- Detailed information about the security vulnerability, evidence that supports the relevance of the finding, and any reproducibility instructions for independent confirmation
This initial reporting stage ensures that rapid validation can occur without wasting the time and effort of the reporter. Future communication and vulnerability resolution will be conducted after validating the veracity of the reported issue.
A project maintainer will, after validating the report:
- Mark the issue as
priority/critical-urgent - Open a draft GitHub Security Advisory to discuss the vulnerability details in private
The private Security Advisory will be used to confirm the issue, prepare a fix, and publicly disclose it after the fix has been released.