The maintainers of the Docker Language Server project take security seriously. If you discover a security issue, please bring it to their attention right away!

Please DO NOT file a public issue, instead send your report privately to [email protected].

Reporter(s) can expect a response within 72 hours, acknowledging the issue was received.

After receiving the report, an initial triage and technical analysis is performed to confirm the report and determine its scope. We may request additional information in this stage of the process.

Once a reviewer has confirmed the relevance of the report, a draft security advisory will be created on GitHub. The draft advisory will be used to discuss the issue with maintainers, the reporter(s), and where applicable, other affected parties under embargo.

If the vulnerability is accepted, a timeline for developing a patch, public disclosure, and patch release will be determined. If there is an embargo period on public disclosure before the patch release, the reporter(s) are expected to participate in the discussion of the timeline and abide by agreed upon dates for public disclosure.

Security reports are greatly appreciated and we will publicly thank you, although we will keep your name confidential if you request it. We also like to send gifts - if you're into swag, make sure to let us know. We do not currently offer a paid security bounty program at this time.

Should anything in this document be unclear or if you are looking for additional information about how Docker reviews and responds to security vulnerabilities, please take a look at Docker's Vulnerability Disclosure Policy.