To report a security vulnerability or for additional details regarding our responsible disclosure policy, please email us directly at [email protected]
Include as much detailed information as possible concerning the vulnerability along with a proof of concept showing how the vulnerability could be exploited if appropriate. You may also include any recommendations you have for correcting the vulnerability. Please do not include any personally identifiable information (PII), excluding your own contact details, in your report.
We strive to respond to vulnerability reports within 48 hours, though it can take up to 96 hours on weekends and holidays. The first email you recieve will be a confirmation that we recieved your report. You will recieve a second email once we confirm or reject the vulnerability. We may ask you additional questions during our resolution process, though it is entirely up to you if you wish to respond. You will recieve a final email once the vulnerability is patched thanking you for your contribution.
If your vulnerability is accepted, and with your permission, we will add your name to a Security Contributors list on the project's GitHub landing page along with a link of your choosing.
We do not seek legal action against security researchers under any circumastances so long as your work is performed in good faith (eg Don't release sensitive information or trade secrets). We ask that you do not publically disclose the information until we have rolled out a patch. However, we will not pursue legal action if you decide to do so.