We release patches for security vulnerabilities. Until a version 1.0 is released, we will only release patches for the latest version.
This section tells you how to report a vulnerability in your project.
If you find a security vulnerability in any of our projects, please do not create a public issue or pull request. Instead, email us at [email protected] with the details of the vulnerability and how to reproduce it. We will review your report and respond within two business days.
We appreciate your responsible disclosure of security vulnerabilities and we will try to fix them in a timely manner. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.
Please do not disclose the vulnerability to anyone else until we have fixed it and given you permission to do so.