Do not report security issues in public GitHub issues, pull requests, or discussions.
Send vulnerability reports to:
Include the following details when possible:
- Vulnerability title and summary
- Affected component and versions
- Reproduction steps or proof of concept
- Impact assessment and possible exploitability
- Suggested mitigations (optional)
We expect coordinated and responsible disclosure:
- Give the maintainers a reasonable opportunity to investigate and remediate.
- Avoid public disclosure until a fix or mitigation is available.
- Do not access, modify, or exfiltrate data beyond what is needed to demonstrate the issue.
- Do not perform destructive testing or service disruption.
The project aims to follow this response timeline:
- Acknowledgment within 3 business days
- Initial triage and severity assessment within 7 business days
- Periodic status updates during remediation
- Public disclosure and release notes after remediation, when appropriate
Response times may vary based on severity, impact, and maintainer availability.
This policy applies to security vulnerabilities in this repository and maintained releases.
Good-faith security research conducted under this policy and within applicable law is welcome.