Please do not open a public GitHub Issue for security vulnerabilities.
Preferred method: Use GitHub Private Vulnerability Reporting — click "Report a vulnerability" on the Security tab of the affected repository.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (optional)
Response commitment: Acknowledgement within 48 hours. If confirmed, a CVE will be requested and you will be credited in the published security advisory.
Security research conducted in good faith is authorized. Researchers who:
- Report through official channels above
- Avoid accessing or modifying user data
- Do not disrupt service availability
- Keep findings confidential during the disclosure window
...will not face legal action from this project's maintainers.
Confirmed vulnerability reporters are:
- Credited by name (or pseudonym if preferred) in the published GitHub Security Advisory
- Listed in CONTRIBUTORS.md
- Offered a LinkedIn recommendation for high-severity findings (at maintainer discretion)
We do not currently offer monetary rewards.
Maintained by drasticstatic